Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need help removing any malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: need help removing any malware

Unread postby melboy » June 22nd, 2011, 9:04 am

Hi

We've stiil some work to do.

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
    Panda Cloud:

    • Right click on the Panda icon in the system tray.
    • Select "Stop antivirus"
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: need help removing any malware

Unread postby agl01 » June 22nd, 2011, 6:16 pm

just a note...the scan revealed 10 items of malware..sure you see this...thanks
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 22nd, 2011, 6:22 pm

t
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 22nd, 2011, 6:48 pm

t
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 22nd, 2011, 6:53 pm

note..i'm having problems coming to this page for your replies. I'm logged in and still when I click on my link for the other replies it don't give me the latest ones.. whats this about..it shoulds have ALL replies and your requests on the same loggin page no question.. I have to make artifical replies to get here.. what the hell is this. The scan results form lates reply fiollows.. lets get the reply links straight and not scattered all over the freakin place




ComboFix 11-06-22.02 - user 06/22/2011 17:29:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2410 [GMT -5:00]
Running from: c:\documents and settings\user\My Documents\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Guest\Application Data\searchqutb
c:\documents and settings\Guest\Application Data\searchqutb\dtx.ini
c:\program files\Windows Searchqu Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-21 23:22 . 2011-06-21 23:22 -------- d-----w- c:\program files\ESET
2011-06-21 23:04 . 2011-06-21 23:04 -------- d-----w- c:\program files\Common Files\Java
2011-06-21 23:04 . 2011-06-21 23:03 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 23:04 . 2011-06-21 23:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 23:04 . 2011-06-21 23:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-21 12:21 . 2011-06-21 12:21 -------- d-----w- c:\documents and settings\user\AbiSuite
2011-06-21 12:20 . 2011-06-21 12:20 -------- d-----w- c:\program files\AbiSuite2
2011-06-20 22:27 . 2011-06-20 22:27 -------- d-----w- C:\_OTL
2011-06-20 01:15 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 01:14 . 2011-06-20 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 01:14 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 12:51 . 2011-06-17 12:53 -------- d-----w- C:\0936a25e2e974c8c1057
2011-06-16 22:17 . 2011-06-16 22:17 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 12:25 . 2011-06-16 12:25 50247 ----a-w- c:\program files\Common Files\Microsoft Shared\Proof\Uninstal.exe
2011-06-16 02:45 . 2011-06-16 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 00:02 . 2011-06-17 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-15 23:22 . 2011-05-25 20:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\program files\NOS
2011-06-15 23:05 . 2011-06-15 23:05 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 22:38 . 2011-06-15 22:38 -------- d-----w- c:\program files\Trend Micro
2011-06-15 01:36 . 2011-06-15 23:09 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-15 00:53 . 2011-06-15 00:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-14 23:34 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 01:01 . 2011-06-22 21:48 -------- d-----w- c:\windows\system32\CatRoot2
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\user\Application Data\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\program files\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\All Users\Application DataMozilla
2011-05-30 17:34 . 2011-05-30 17:49 -------- d-----w- C:\48ff03d23d8e16dee0
2011-05-28 13:12 . 2011-05-28 13:36 -------- d-----w- c:\documents and settings\user\Application Data\Nero
2011-05-28 13:10 . 2011-05-28 13:10 -------- d-----w- c:\program files\Common Files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\program files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-05-28 13:09 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-05-28 13:09 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2011-05-28 13:08 . 2011-05-28 13:08 -------- d-----w- c:\windows\Logs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:04 . 2011-01-25 23:11 28672 ----a-w- c:\windows\system32\SpyShelterShellExt.dll
2011-05-02 15:31 . 2010-06-04 01:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-10 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-28 21:47 . 2011-04-28 21:47 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2011-04-28 11:57 . 2011-04-28 11:57 112456 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2011-04-28 11:57 . 2011-04-28 11:57 97096 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2011-04-28 11:57 . 2011-04-28 11:57 143432 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-04-28 11:57 . 2011-04-28 11:57 129992 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2011-04-28 11:57 . 2011-04-28 11:57 111688 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 11:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyShelter"="c:\program files\SpyShelter Personal Free\SpyShelter.exe" [2011-05-30 2565616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 12:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 20:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ------w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 09:47 163840 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 07:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-01-13 09:47 131072 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 21:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-01-13 09:46 135168 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2010-06-30 20:33 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-09 00:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-08-19 09:26 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/19/2011 4:39 PM 28552]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 6:57 AM 129992]
R1 SpyShelter;SpyShelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [1/25/2011 6:10 PM 158192]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 8:15 PM 366640]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 6:58 AM 140608]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/4/2011 11:39 AM 584488]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [4/28/2011 6:57 AM 143432]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 6:57 AM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 6:57 AM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 6:57 AM 112456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 8:14 PM 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/15/2010 6:36 PM 1684736]
S3 mr8980;Digital Wireless Camera;c:\windows\system32\drivers\mr8980.sys [7/16/2010 4:56 PM 69632]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-10-11 22:12]
.
2011-06-21 c:\windows\Tasks\User_Feed_Synchronization-{EBD685C4-8CE4-42A7-A4DA-9B8ED27675CF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\22nsm24y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Window Shopper - Powered by Superfish: superfish@superfish.com - c:\documents and settings\All Users\Application DataMozilla\Extensions\superfish@superfish.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-DataMngr - c:\progra~1\SHAREA~1\MediaBar\Datamngr\DATAMN~1.EXE
MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
MSConfigStartUp-ISUSPM - c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
MSConfigStartUp-NextGen AntiKeylogger - c:\program files\NextGen AntiKeylogger\NextGenAkl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 17:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
.
[HKEY_USERS\S-1-5-21-854245398-2049760794-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-06-22 17:45:50
ComboFix-quarantined-files.txt 2011-06-22 22:45
.
Pre-Run: 269,715,607,552 bytes free
Post-Run: 271,303,979,008 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1CFC914A85B346FC6B470C8620D8E57E
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 5:50 am

agl01 wrote:just a note...the scan revealed 10 items of malware..sure you see this...thanks

Yes, don't worry, I saw those. ;)

How are things running after running the CFScript below?


COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (Do Not include Code:)

    Code: Select all
    Firefox::
    FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency3.5.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{28387537-e3f9-4ed7-860c-11e69af4a8a0}\components\dtTransparency3.6.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\22nsm24y.default\extensions\firefox@bandoo.com\components\FFPlugin.dll
    FF - component: c:\program files\shareaza applications\mediabar\datamngr\firefoxextension\components\DataMngrHlp.dll
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\ReviverSoft
    
    File::
    C:\Documents and Settings\user\My Documents\program installs BUS\BlubsterSetup.exe
    C:\Documents and Settings\user\My Documents\program installs BUS\psuite45.exe
    C:\Documents and Settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe
    C:\Documents and Settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe
    C:\Documents and Settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe
    C:\Documents and Settings\user\My Documents\programinstalls\RegistryReviverSetup.exe
    C:\Documents and Settings\user\My Documents\programinstalls\ShareazaV6.exe 
    C:\Documents and Settings\user\My Documents\programinstalls\weatherbug.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    
    DDS::
    AppInit_DLLs: c:\progra~1\sharea~1\mediabar\datamngr\datamngr.dll c:\progra~1\sharea~1\mediabar\datamngr\iebho.dll c:\progra~1\sharea~1\mediabar\datamngr\datamngr.dll c:\progra~1\bandoo\bndhook.dll
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 8:22 am

I did that and when i drag the txt file named CFScript.txt saved as all files to the icon in the page the pages goes away and the txt file is there opened. nothin happens???? Computer appears to be very fast now but have no idea why the scan won't activate as you described. I disabled the anti virus and the spyshelter program
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 8:30 am

Hi

Delete the CFScript you have, and go through the instructions again - ensure you are dragging CFScript into the combofix icon on your desktop (or the combofix icon you have in My Documents in your case) & not into the image in the post above. (That is for information on how to do it) ;)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 6:30 pm

ComboFix 11-06-22.05 - user 06/23/2011 11:36:50.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3046.2459 [GMT -5:00]
Running from: c:\documents and settings\user\My Documents\malware removal programs\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
FILE ::
"c:\documents and settings\user\My Documents\program installs BUS\BlubsterSetup.exe"
"c:\documents and settings\user\My Documents\program installs BUS\psuite45.exe"
"c:\documents and settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe"
"c:\documents and settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe"
"c:\documents and settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe"
"c:\documents and settings\user\My Documents\programinstalls\RegistryReviverSetup.exe"
"c:\documents and settings\user\My Documents\programinstalls\ShareazaV6.exe"
"c:\documents and settings\user\My Documents\programinstalls\weatherbug.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ReviverSoft
c:\documents and settings\All Users\Application Data\ReviverSoft\Registry Reviver\Backup\Backup_July_02_10_06_31_39.reg
c:\documents and settings\All Users\Application Data\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\1033.MST
c:\documents and settings\All Users\Application Data\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi
c:\documents and settings\All Users\Application Data\ReviverSoft\Registry Reviver\LOGS\LOGS_07_02_2010_06_28_06_AM.log
c:\documents and settings\All Users\Application Data\ReviverSoft\Registry Reviver\TipofDay_EN.xml
c:\documents and settings\user\My Documents\program installs BUS\BlubsterSetup.exe
c:\documents and settings\user\My Documents\program installs BUS\psuite45.exe
c:\documents and settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe
c:\documents and settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe
c:\documents and settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe
c:\documents and settings\user\My Documents\programinstalls\RegistryReviverSetup.exe
c:\documents and settings\user\My Documents\programinstalls\ShareazaV6.exe
c:\documents and settings\user\My Documents\programinstalls\weatherbug.exe
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-21 23:22 . 2011-06-21 23:22 -------- d-----w- c:\program files\ESET
2011-06-21 23:04 . 2011-06-21 23:04 -------- d-----w- c:\program files\Common Files\Java
2011-06-21 23:04 . 2011-06-21 23:03 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 23:04 . 2011-06-21 23:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 23:04 . 2011-06-21 23:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-21 12:21 . 2011-06-21 12:21 -------- d-----w- c:\documents and settings\user\AbiSuite
2011-06-21 12:20 . 2011-06-21 12:20 -------- d-----w- c:\program files\AbiSuite2
2011-06-20 22:27 . 2011-06-20 22:27 -------- d-----w- C:\_OTL
2011-06-20 01:15 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 01:14 . 2011-06-20 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 01:14 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 12:51 . 2011-06-17 12:53 -------- d-----w- C:\0936a25e2e974c8c1057
2011-06-16 22:17 . 2011-06-16 22:17 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 12:25 . 2011-06-16 12:25 50247 ----a-w- c:\program files\Common Files\Microsoft Shared\Proof\Uninstal.exe
2011-06-16 02:45 . 2011-06-16 02:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 00:02 . 2011-06-17 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-15 23:22 . 2011-05-25 20:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-06-15 23:22 . 2011-06-15 23:22 -------- d-----w- c:\program files\NOS
2011-06-15 23:05 . 2011-06-15 23:05 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-15 22:38 . 2011-06-15 22:38 -------- d-----w- c:\program files\Trend Micro
2011-06-15 01:36 . 2011-06-15 23:09 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-15 00:53 . 2011-06-15 00:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-14 23:34 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 01:01 . 2011-06-23 16:48 -------- d-----w- c:\windows\system32\CatRoot2
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\user\Application Data\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\program files\Superfish
2011-05-30 22:39 . 2011-05-30 22:39 -------- d-----w- c:\documents and settings\All Users\Application DataMozilla
2011-05-30 17:34 . 2011-05-30 17:49 -------- d-----w- C:\48ff03d23d8e16dee0
2011-05-28 13:12 . 2011-05-28 13:36 -------- d-----w- c:\documents and settings\user\Application Data\Nero
2011-05-28 13:10 . 2011-05-28 13:10 -------- d-----w- c:\program files\Common Files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\program files\Nero
2011-05-28 13:10 . 2011-05-28 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-05-28 13:09 . 2008-10-15 11:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2011-05-28 13:09 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2011-05-28 13:08 . 2011-05-28 13:08 -------- d-----w- c:\windows\Logs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 03:04 . 2011-01-25 23:11 28672 ----a-w- c:\windows\system32\SpyShelterShellExt.dll
2011-05-02 15:31 . 2010-06-04 01:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-10 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-28 21:47 . 2011-04-28 21:47 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2011-04-28 11:57 . 2011-04-28 11:57 112456 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2011-04-28 11:57 . 2011-04-28 11:57 97096 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2011-04-28 11:57 . 2011-04-28 11:57 143432 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-04-28 11:57 . 2011-04-28 11:57 129992 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2011-04-28 11:57 . 2011-04-28 11:57 111688 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 11:00 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyShelter"="c:\program files\SpyShelter Personal Free\SpyShelter.exe" [2011-05-30 2565616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 12:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 20:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ------w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 09:47 163840 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 07:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-01-13 09:47 131072 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 21:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-01-13 09:46 135168 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2010-06-30 20:33 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-09 00:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-08-19 09:26 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/19/2011 4:39 PM 28552]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 6:57 AM 129992]
R1 SpyShelter;SpyShelter;c:\program files\SpyShelter Personal Free\SpyShelter.sys [1/25/2011 6:10 PM 158192]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/19/2011 8:15 PM 366640]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 6:58 AM 140608]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/4/2011 11:39 AM 584488]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [4/28/2011 6:57 AM 143432]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 6:57 AM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 6:57 AM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 6:57 AM 112456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/19/2011 8:14 PM 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/15/2010 6:36 PM 1684736]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\user\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\user\LOCALS~1\Temp\CFcatchme.sys [?]
S3 mr8980;Digital Wireless Camera;c:\windows\system32\drivers\mr8980.sys [7/16/2010 4:56 PM 69632]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-10-11 22:12]
.
2011-06-23 c:\windows\Tasks\User_Feed_Synchronization-{EBD685C4-8CE4-42A7-A4DA-9B8ED27675CF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\22nsm24y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Window Shopper - Powered by Superfish: superfish@superfish.com - c:\documents and settings\All Users\Application DataMozilla\Extensions\superfish@superfish.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 17:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,b3,4a,c8,17,f1,4e,46,b3,c9,e4,\
.
[HKEY_USERS\S-1-5-21-854245398-2049760794-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(6716)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Common Files\Nero\NeroShellExt\NeroShellExt.dll
c:\program files\Common Files\Nero\NeroShellExt\SolutionExplorer.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\windows\system32\SpyShelterShellExt.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Tracker Software\Shell Extensions\XCShInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-23 17:20:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-23 22:20
ComboFix2.txt 2011-06-22 22:45
.
Pre-Run: 271,242,735,616 bytes free
Post-Run: 271,227,166,720 bytes free
.
- - End Of File - - 78515CCD0113CF61C06BE639E5AC8545
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 6:33 pm

the log said it couldn't upload it to the server after it ran and said it saved it to c: cf-submit.htm to be uploaded later
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 6:37 pm

i uploaded it the files to the server after successfully CF-submit.htm
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 6:39 pm

Hi

Great - Thanks

melboy wrote:How are things running after running the CFScript


Can you also post me the contents of C:\Qoobox\ComboFix-quarantined-files.txt :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 6:45 pm

and where might that be found??
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm

Re: need help removing any malware

Unread postby melboy » June 23rd, 2011, 6:48 pm

Hi

C:\Qoobox

Is there a folder at the root of your C: drive called Qoobox?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: need help removing any malware

Unread postby agl01 » June 23rd, 2011, 6:53 pm

yes..there's 2 files under quarantine:

catchme:

file zipped: C:\Documents and Settings\user\My Documents\program installs BUS\BlubsterSetup.exe -> catchme.zip -> BlubsterSetup.exe ( 6719728 bytes )
file "C:\Documents and Settings\user\My Documents\program installs BUS\BlubsterSetup.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\program installs BUS\psuite45.exe -> catchme.zip -> psuite45.exe ( 2789934 bytes )
file "C:\Documents and Settings\user\My Documents\program installs BUS\psuite45.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe -> catchme.zip -> rb09_4_4_0_17.exe ( 3071864 bytes )
file "C:\Documents and Settings\user\My Documents\program installs BUS\rb09_4_4_0_17.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe -> catchme.zip -> RegistryReviverSetup.exe ( 12284664 bytes )
file "C:\Documents and Settings\user\My Documents\program installs BUS\RegistryReviverSetup.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe -> catchme.zip -> rb09_4_4_0_17.exe.1 ( 3071864 bytes )
file "C:\Documents and Settings\user\My Documents\programinstalls\rb09_4_4_0_17.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\programinstalls\RegistryReviverSetup.exe -> catchme.zip -> RegistryReviverSetup.exe.1 ( 12284664 bytes )
file "C:\Documents and Settings\user\My Documents\programinstalls\RegistryReviverSetup.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\programinstalls\ShareazaV6.exe -> catchme.zip -> ShareazaV6.exe ( 12989736 bytes )
file "C:\Documents and Settings\user\My Documents\programinstalls\ShareazaV6.exe" replaced successfully
file zipped: C:\Documents and Settings\user\My Documents\programinstalls\weatherbug.exe -> catchme.zip -> weatherbug.exe ( 1905208 bytes )
file "C:\Documents and Settings\user\My Documents\programinstalls\weatherbug.exe" replaced successfully

and another one with the same name:


-------- 2011-06-22 - 17:25:46 -------------


-------- 2011-06-23 - 11:33:56 -------------


-------- 2011-06-23 - 11:34:47 -------------
agl01
Regular Member
 
Posts: 23
Joined: June 15th, 2011, 6:45 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware