ANTIVIR virus on mini laptop

View previous topic View next topic Go down

ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 2:29 pm

No CD drive on mini laptop (windown xp) and virus is preventing me from accessing any websites to download anything that may help me. What am I to do?

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 2:34 pm

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes


With that out of the way:

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.
========

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 2:38 pm

That's the problem, I can't download anything since the virus is preventing me from accessing any websites and the mini laptop does NOT have a cd drive ...uuugh!

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 2:39 pm

Do you have another machine you can download tools to? How about a USB drive to transfer files over?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 2:41 pm

Yes, I am writing to you on my mac and the mini has a usb drive (didn't think of that)!

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 2:43 pm

Beautiful . Can you transfer over RKill and combofix via USB to your Desktop on your netbook and run them from there please?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 3:05 pm

Having a hard time, every time I click on the usb in "my computer" I get a "security warning" that prevents me from opening the files in the usb.

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 3:08 pm

Have you tried RKill?

Please download and run the following

iExplore.exe or eXplorer.exe

which are renamed copies of rkill.com, and try them instead.

Then Rename ComboFix to firefox.com

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 3:13 pm

I did download rkill on my mac and saved to usb. I then plugged the usb into my infected mini laptop. When I click on the usb in "my computer," to open the rkill files, a "security warning" (virus) pops up and prevents me from opening the usb.

I am going to keep trying, because it did allow me once to see the rkill file, but then it closed on me.

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 3:21 pm

Okie dokie. Let's see if we can take a different route.

Please reboot your netbook and hit F8 as the computer boots up. In the menu you are presented with choose Safe Mode With Networking.

In this mode the malware will be prevented from starting up. Once the desktop pops up please try running Combofix

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 3:33 pm

Ok, commy is now running.

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 3:35 pm

woohoo looking forward to your logfile

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 3:38 pm

MS Windows Recovery Console popup says...

This machine does not have the ms windows recovery console installed. Alternately, an existing installation of the recovery console may be present but requires updating.

Without it, combofix shall not attempt the fixing of some serious infections.

click yes to have combofix download/install it

note - this requires an active internet connection.

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 3:54 pm

Please click Yes

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 4:01 pm

ok, here we go!

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 4:08 pm

Hold on to your hats!

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 4:19 pm

ComboFix 10-08-01.01 - Devon 08/02/2010 1:01.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.708 [GMT -4:00]
Running from: E:\commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Devon\Application Data\LoJackSetup.exe
c:\documents and settings\Devon\Local Settings\Application Data\wiaaodtmq
c:\documents and settings\Devon\Local Settings\Application Data\wiaaodtmq\ouqejpgtssd.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-02 02:21 . 2010-08-02 02:21 -------- d-----w- c:\program files\Copy of Citrix
2010-08-01 22:20 . 2010-08-01 22:20 -------- d-----w- c:\windows\Sun
2010-07-20 23:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 02:32 . 2010-06-28 07:07 99608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-03 20:34 . 2010-03-25 20:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2008-04-26 01:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 00:02 . 2010-06-11 00:02 -------- d-----w- c:\documents and settings\Devon\Application Data\Windows Live Writer
2010-06-09 19:28 . 2010-03-07 23:54 282 ----a-w- c:\documents and settings\Devon\Application Data\wklnhst.dat
2010-06-05 15:11 . 2010-02-23 03:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 13:51 . 2010-05-29 13:51 348160 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\msvcr71.dll
2010-05-29 13:51 . 2010-05-29 13:51 503808 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\msvcp71.dll
2010-05-29 13:51 . 2010-05-29 13:51 499712 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\jmc.dll
2010-05-06 10:41 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 03:30 . 2010-02-23 03:30 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-23 149280]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"wvlaunch"="c:\program files\Numedeon\Whyville Launcher\wvlaunch.exe" [2009-05-23 1120768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

c:\documents and settings\Devon\Start Menu\Programs\Startup\
Nickelodeon RSS.lnk - c:\program files\Stardock\DesktopGadgets\Nickelodeon RSS\Nickelodeon RSS.exe [2010-2-22 884016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Stardock MyColors.lnk - c:\program files\Stardock\MyColors\SDDelayedLaunch.exe [2009-6-24 10440]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
IconPackager.lnk - c:\program files\Stardock\MyColors\IconPackager.exe [2009-6-16 1385848]
Nickelodeon RSS.lnk - c:\program files\Stardock\DesktopGadgets\Nickelodeon RSS\Nickelodeon RSS.exe [2010-2-22 884016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-02-23 03:28 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 15:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2/22/2010 11:23 PM 14248]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2/23/2010 12:52 AM 162816]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/23/2010 10:06 AM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/23/2010 12:52 AM 1684736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2/22/2010 11:29 PM 143840]
S3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2/23/2010 12:52 AM 134144]
S3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2/23/2010 12:52 AM 133632]
S3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2/23/2010 12:52 AM 272256]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 4:33 PM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RSVP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 14:06]

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-yhkndcsj - c:\documents and settings\Devon\Local Settings\Application Data\wiaaodtmq\ouqejpgtssd.exe
HKLM-Run-LoJackForLaptops - c:\program files\absoƖute Software\LoJack Install\FactoryInstaller.exe
HKLM-Run-yhkndcsj - c:\documents and settings\Devon\Local Settings\Application Data\wiaaodtmq\ouqejpgtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-02 01:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Devon\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4173571547-3841892101-3456111933-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Stardock\MyColors\fastload.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-08-02 01:14:34
ComboFix-quarantined-files.txt 2010-08-02 05:14

Pre-Run: 150,324,695,040 bytes free
Post-Run: 150,695,940,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 60FF587D7E7D685CE086EC316D1C72D0

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Mon 02 Aug 2010, 4:29 pm

Hi again

Before we start with the fixes I saw that you ran combofix from the flash drive. Can you move it on to the Desktop please?

Once that's done:

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\docume~1\Devon\LOCALS~1\Temp\catchme.dll

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 11:19 pm

Hi, hope you are still there! I copied the above and dragged it over to the ComboFix.exe. When it is finished, I'll post the contents of the log in my next reply.

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by peverton on Mon 02 Aug 2010, 11:26 pm

ComboFix 10-08-01.01 - Devon 08/02/2010 8:17.3.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.703 [GMT -4:00]
Running from: c:\documents and settings\Devon\Desktop\commy.exe
Command switches used :: c:\documents and settings\Devon\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Devon\LOCALS~1\Temp\catchme.dll"
.

((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-02 02:21 . 2010-08-02 02:21 -------- d-----w- c:\program files\Copy of Citrix
2010-08-01 22:20 . 2010-08-01 22:20 -------- d-----w- c:\windows\Sun
2010-07-20 23:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 02:32 . 2010-06-28 07:07 99608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-03 20:34 . 2010-03-25 20:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2008-04-26 01:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 00:02 . 2010-06-11 00:02 -------- d-----w- c:\documents and settings\Devon\Application Data\Windows Live Writer
2010-06-09 19:28 . 2010-03-07 23:54 282 ----a-w- c:\documents and settings\Devon\Application Data\wklnhst.dat
2010-06-05 15:11 . 2010-02-23 03:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 13:51 . 2010-05-29 13:51 348160 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\msvcr71.dll
2010-05-29 13:51 . 2010-05-29 13:51 503808 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\msvcp71.dll
2010-05-29 13:51 . 2010-05-29 13:51 499712 ----a-w- c:\documents and settings\Devon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3548e579-n\jmc.dll
2010-05-06 10:41 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 03:30 . 2010-02-23 03:30 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-23 149280]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"wvlaunch"="c:\program files\Numedeon\Whyville Launcher\wvlaunch.exe" [2009-05-23 1120768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

c:\documents and settings\Devon\Start Menu\Programs\Startup\
Nickelodeon RSS.lnk - c:\program files\Stardock\DesktopGadgets\Nickelodeon RSS\Nickelodeon RSS.exe [2010-2-22 884016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Stardock MyColors.lnk - c:\program files\Stardock\MyColors\SDDelayedLaunch.exe [2009-6-24 10440]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
IconPackager.lnk - c:\program files\Stardock\MyColors\IconPackager.exe [2009-6-16 1385848]
Nickelodeon RSS.lnk - c:\program files\Stardock\DesktopGadgets\Nickelodeon RSS\Nickelodeon RSS.exe [2010-2-22 884016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-02-23 03:28 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 15:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2/22/2010 11:23 PM 14248]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2/23/2010 12:52 AM 162816]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/23/2010 10:06 AM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/23/2010 12:52 AM 1684736]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2/22/2010 11:29 PM 143840]
S3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2/23/2010 12:52 AM 134144]
S3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2/23/2010 12:52 AM 133632]
S3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2/23/2010 12:52 AM 272256]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 4:33 PM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RSVP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 14:06]

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-02 08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4173571547-3841892101-3456111933-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Stardock\MyColors\fastload.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-02 08:23:05
ComboFix-quarantined-files.txt 2010-08-02 12:23
ComboFix2.txt 2010-08-02 05:49
ComboFix3.txt 2010-08-02 05:14

Pre-Run: 150,705,831,936 bytes free
Post-Run: 150,697,418,752 bytes free

- - End Of File - - 54B0F0FCB8DB47AF066A813C53D4ECFD

peverton

Newbie Surfer
Newbie Surfer

Posts : 17
Joined : 2010-08-02
Operating System : xp

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Crush on Wed 04 Aug 2010, 8:13 am

Hi,

I'm currently on vacation so my reply time will be limited until Monday. How are things running now?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: ANTIVIR virus on mini laptop

Post by Sponsored content Today at 9:38 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum