0

here is what my AV found:

It doesn't save logs as far as I know, but this should be fairly useful i hope... It's quarantined now.

http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=11511

install.exe
A0000005.exe

Security Risk Found!Trojan.PandexFile: c:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP1\A0000005.exe>>install.exeLocation: QuarantineComputer: TRAVISUser: Mo ProblemsAction taken: Quarantine succeededDate found: Wednesday, September 02, 2009 1:24:55 PM

0

Hi travs1,

Since MBA-M was run after Combofix, I am going to need to see a fresh Combofix scanlog.
Please DELETE your current copy of Combofix and DL a fresh one before running it again.


Also, please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

BTW - It doesn't hurt to install the recovery console. I usually recommend it if you do not have your Windows disc or other bootable option handy....

PP :)

0

Here is the ComboFix log:

ComboFix 09-09-02.02 - Mo Problems 09/02/2009 21:07.2.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1471 [GMT -4:00]
Running from: c:\documents and settings\Mo Problems\Desktop\BunnyFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


(((((((((((((((((((((((((   Files Created from 2009-08-03 to 2009-09-03  )))))))))))))))))))))))))))))))
.


2009-09-02 03:23 . 2009-09-02 03:36 574 ----a-w-    C:\cleanup.bat
2009-09-02 03:23 . 2009-09-02 03:36 135168  ----a-w-    C:\zip.exe
2009-09-01 04:04 . 2009-08-03 17:36 38160   ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 04:03 . 2009-08-03 17:36 19096   ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-09-01 03:24 . 2009-09-01 03:24 --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-08-31 22:58 . 2009-08-31 22:58 --------    d-----w-    c:\documents and settings\Mo Problems\Application Data\Malwarebytes
2009-08-31 22:10 . 2009-08-31 22:10 --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2009-08-31 22:09 . 2009-08-31 22:09 --------    d-sh--w-    c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 00:42 . 2009-08-31 00:42 --------    d-----w-    c:\program files\Trend Micro
2009-08-31 00:41 . 2009-08-31 00:41 --------    d-----w-    c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-31 00:41 . 2009-08-31 00:41 --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 00:41 . 2009-09-01 00:59 --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-08-30 23:22 . 2009-08-30 23:22 --------    d-sh--w-    c:\documents and settings\Administrator\IETldCache
2009-08-26 13:18 . 2009-08-26 13:18 552 ----a-w-    c:\windows\system32\d3d8caps.dat
2009-08-13 16:35 . 2009-07-10 13:27 1315328 ------w-    c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800  ------w-    c:\windows\system32\dllcache\mswebdvd.dll


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 18:17 . 2007-03-27 16:51 --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:01 . 2004-08-10 15:00 204800  ----a-w-    c:\windows\system32\mswebdvd.dll
2009-07-29 23:20 . 2009-07-29 23:20 --------    d-----w-    c:\documents and settings\Mo Problems\Application Data\Microsoft Games
2009-07-29 23:20 . 2009-07-29 23:20 --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Games
2009-07-29 23:19 . 2006-09-16 02:30 --------    d-----w-    c:\program files\Microsoft Games
2009-07-17 19:01 . 2004-08-10 15:00 58880   ----a-w-    c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 15:00 286208  ----a-w-    c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 15:00 915456  ------w-    c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 15:00 730112  ----a-w-    c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 15:00 56832   ----a-w-    c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 15:00 54272   ----a-w-    c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 15:00 301568  ----a-w-    c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 15:00 147456  ----a-w-    c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 15:00 136192  ----a-w-    c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 15:00 92928   ----a-w-    c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 15:00 81920   ----a-w-    c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808  ----a-w-    c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 15:00 80896   ----a-w-    c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 15:00 76288   ----a-w-    c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-10 15:00 84992   ----a-w-    c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-10 15:00 2066432 ----a-w-    c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 15:00 132096  ----a-w-    c:\windows\system32\wkssvc.dll
.


(((((((((((((((((((((((((((((   SnapShot@2009-09-02_04.59.31   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 00:54 . 2009-09-03 00:54   16384              c:\windows\Temp\Perflib_Perfdata_94.dat
+ 2009-09-03 00:55 . 2009-09-03 00:55   16384              c:\windows\Temp\Perflib_Perfdata_13c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]


c:\documents and settings\Mo Problems\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-20 2913584]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2006-8-13 57344]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Limewire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\ITunes\\iTunes.exe"=
"c:\\Program Files\\MyTunes\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Trial Version\\zt2demoretail.exe"=


R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 4:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/26/2009 9:29 PM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 5:06 AM 231424]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 MarshallLLDriver;Marshall LL Driver;c:\windows\system32\drivers\MarshallLLDriver.sys [1/25/2007 4:47 PM 54784]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/1/2009 12:04 AM 38160]
S3 msvad_multi;Marshall Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [1/25/2007 4:47 PM 25088]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder


2009-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 18:21]


2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: vt.edu\learn
FF - ProfilePath - c:\documents and settings\Mo Problems\Application Data\Mozilla\Firefox\Profiles\lya3ldrf.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.


**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 21:16
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------


[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,c6,5d,46,b2,d5,f0,48,bb,b2,c7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,c6,5d,46,b2,d5,f0,48,bb,b2,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll


- - - - - - - > 'explorer.exe'(2868)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-03 21:20
ComboFix-quarantined-files.txt  2009-09-03 01:20
ComboFix2.txt  2009-09-02 05:11


Pre-Run: 26,462,253,056 bytes free
Post-Run: 26,461,937,664 bytes free


211 --- E O F ---   2009-08-27 14:19



And this is the FixIt! log:



Looking for cngaudit.dll


No matches found.



Looking for eventlog.dll


C:\I386\eventlog.dl_   Tue Aug 10 2004   3:00:00a  A....         30,131    29.42 K


C:\WINDOWS\$NTSER~1\
eventlog.dll   Tue Aug 10 2004  11:00:00a  .....         55,808    54.50 K


C:\WINDOWS\SYSTEM32\
eventlog.dll   Sun Apr 13 2008   8:11:54p  .....         56,320    55.00 K


C:\WINDOWS\SERVIC~1\I386\
eventlog.dll   Sun Apr 13 2008   8:11:54p  .....         56,320    55.00 K


C:\WINDOWS\SYSTEM32\DLLCACHE\CACHE\
eventlog.dll   Sun Apr 13 2008   8:11:54p  A....         56,320    55.00 K


5 items found:  5 files, 0 directories.
Total of file sizes:  254,899 bytes    248.92 K



Looking for logevent.dll


No matches found.



Looking for netlogon.dll


C:\I386\netlogon.dl_   Tue Aug 10 2004   3:00:00a  A....        181,419   177.16 K


C:\WINDOWS\$NTSER~1\
netlogon.dll   Tue Aug 10 2004  11:00:00a  .....        407,040   397.50 K


C:\WINDOWS\SYSTEM32\
netlogon.dll   Sun Apr 13 2008   8:12:02p  .....        407,040   397.50 K


C:\WINDOWS\SERVIC~1\I386\
netlogon.dll   Sun Apr 13 2008   8:12:02p  .....        407,040   397.50 K


C:\WINDOWS\SYSTEM32\DLLCACHE\CACHE\
netlogon.dll   Sun Apr 13 2008   8:12:02p  A....        407,040   397.50 K


D:\MININT\SYSTEM32\
netlogon.dll   Fri Mar 25 2005   9:00:00p  .....        419,328   409.50 K


6 items found:  6 files, 0 directories.
Total of file sizes:  2,228,907 bytes      2.13 M



Looking for scecli.dll


C:\I386\scecli.dl_     Tue Aug 10 2004   3:00:00a  A....         71,807    70.12 K


C:\WINDOWS\$NTSER~1\
scecli.dll     Tue Aug 10 2004  11:00:00a  .....        180,224   176.00 K


C:\WINDOWS\SYSTEM32\
scecli.dll     Sun Apr 13 2008   8:12:06p  .....        181,248   177.00 K


C:\WINDOWS\SERVIC~1\I386\
scecli.dll     Sun Apr 13 2008   8:12:06p  .....        181,248   177.00 K


C:\WINDOWS\SYSTEM32\DLLCACHE\CACHE\
scecli.dll     Sun Apr 13 2008   8:12:06p  A....        181,248   177.00 K


D:\MININT\SYSTEM32\
scecli.dll     Fri Mar 25 2005   9:00:00p  .....        190,976   186.50 K


6 items found:  6 files, 0 directories.
Total of file sizes:  986,751 bytes    963.62 K

Edited by happygeek: fixed formatting

0

Those logs look ok to me - I think you are good to go.

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Be careful with the P2P/Torrent stuff - lots of nasties to be found.

Cheers :)
PP

0

ok, so why is it bad to have combofix on there?
Also, is my registry all fixed now? Will I have to do anything else, or just remove combofix?

And lastly, my hardrive has a 20gb partition allocated to recovery. What is the difference between this and system restore? I'm assuming I should also copy this onto the hard drive I just bought...?

What about that one trojan my AV found was that completely cleaned, I thought it just said it was quarantined.

What programs should I schedule to run to keep this from happening again in the future. I usually run my AV 1 to 2 times per week, and everytime i download something which isn't very often.

I stopped using limewire over a year ago after a run-in with a much weaker virus..haha I kept it just in case....

Thanks soooooo much for all the help

0

ok, so why is it bad to have combofix on there? Also, is my registry all fixed now? Will I have to do anything else, or just remove combofix?

Just remove combofix - You really don't want to run that version, say, a few weeks down the road. In the past, when run on systems with certain baddies, it has totally borked machines. When that happens, the author (sUBs) pulls it down so nobody can access it and addresses the issue. It is constantly being updated. So, if somebody tells you to run it, you always want the latest version, even if only a few days have passed....

Your Registry should be fine.

And lastly, my hardrive has a 20gb partition allocated to recovery. What is the difference between this and system restore? I'm assuming I should also copy this onto the hard drive I just bought...?

Do you have a copy of your windows disc? (I can't remember if I already asked...)
When used, the Recovery Partition will restore your compy to the way it was when you pulled it out of the box (or however you first received it, LOL!) - EVERYTHING you added to the machine since that time will be gone.
Essentially, it is an easy way to re-format... I believe it offers a few other, less destructive, options as well...

Often, newer computers do not come with Windows CD / DVD and the first thing you want to do is to use the backup utility to burn recovery discs. Instructions should be buried somewhere in user's manual, LOL! (they should be front and center IMO)

What about that one trojan my AV found was that completely cleaned, I thought it just said it was quarantined.

That is in System Restore - a protected volume.
When you uninstall combofix and it resets System Restore, that will be gone.

What programs should I schedule to run to keep this from happening again in the future. I usually run my AV 1 to 2 times per week, and everytime i download something which isn't very often.

That is something Judy can advise you on in a much more thorough manner than I can - If she is not too mad at me for giving her a hard time.......

I stopped using limewire . . . I kept it just in case....

Just in case what? You wanted to get infected with something really nasty??! ;)

Thanks soooooo much for all the help

You are very welcome!

Cheers :)
PP

0

How exactly does system restore work/what does it do? I think I understand what the recovery drive does.. but what is system restore? and what does it mean when you restore to a previous state? What exactly is happening then?

My computer never came with any discs and it used to ask me if I wanted to create some... I will certainly do that once i get this all sorted out.

Right now everything is copying to the new hard drive, so I suppose I will maybe run another AV just to make myself feel better and uninstall combofix.

I should be able to connect to the internet safely now..correct?

Thanks!

0

That is something Judy can advise you on in a much more thorough manner than I can - If she is not too mad at me for giving her a hard time......
Just in case what? You wanted to get infected with something really nasty??! ;)
You are very welcome!
Cheers :)
PP

:D I am furious! All kidding aside...
First of all...as PP says you kept Limewire just in case....? How about Uninstalling it as a starter.
Your av program is the key one to schedule. I run mine weekly but if you want to do it more than that of course that is fine.
Keep the MBA-M program. This you will have to update and scan Manually unless you purchase it but the FREE version works superbly so unless you feel you want to purchase it isn't really necessary. But of course the scheduled scans and updates are not available in Free. So the choice is yours. Key is Update BEFORE each scan, ALWAYS. Even if you run one in the morning and another in the afternoon. MBA-M definitely has daily updates and very often more than once a day, this is why we always preach update, update, update with this program. It IS the top of the line right now and has been for quite awhile. Working in conjunction with your av program it should definitely clean out the "bad guys" without difficulty. I would recommend at least weekly Quick Scans with MBA-M and of course have it remove anything found. IF something is found with the Quick Scan then of course remove it and then immediately Update and do a Full Scan with it just to be safe. It also has the capability of scanning single files, so if you do download something it can be scanned before you install.
I would also recommend that you ADD SpywareBlaster to your "arsenal". It is truly a MUST HAVE program. I wouldn't run my own computer without it. It is PROTECTION only. No scanning or removal involved. Just download, install, Update, Enable All protection, including Restricted Sites portion and then close the program. That is it. It doesn't run in the back ground. It doesn't interfere with any other program because it doesn't run. But the protection is excellent. It absolutely BLOCKS:

ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites

And it works!
Be sure your browser is set to accept Only 1st Party Cookies, Block 3rd party cookies.
Unless you have other questions or concerns you can mark this thread solved. Be sure to remove Combofix as instructed.
Judy

0

How exactly does system restore work/what does it do? I think I understand what the recovery drive does.. but what is system restore? and what does it mean when you restore to a previous state? What exactly is happening then?
I should be able to connect to the internet safely now..correct?

Thanks!

System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it.

System Restore will NOT uninstall a program. In fact if you have installed a program and find you don't want it if you use System Restore it may leave you with much of the program but it just won't be listed in Add/Remove, making it much harder to uninstall.

System Restore does not keep old copies of your files or settings. If you're looking for an "old version" of a file or program that you used to have on your machine, System Restore isn't going to have it. System Restore does not fix your system. So if your computer crashes and needs to be repaired System Restore will not repair it.

System Restore is meant to restore from very RECENT changes like just day or two, not weeks. If you install a new driver for instance and that driver doesn't work correctly then System Restore may be able to restore the computer back to just before the time that driver was installed and revert back to older settings...not weeks back just a short time back.

System Restore only keeps the points for a short time, depending on how much disk space you have allotted for it. Once that space is filled up then old points are deleted. I keep my System Restore very small, gives me more disk space and also that way I don't have weeks and weeks of old restore points. I wouldn't want them anyway.

0

ok... so explain to me why I shouldn't be worried about rootkits? Do we know there aren't any...or am I taking a chance here?

I'd like to finish copying my files, and then uninstall combo fix, and then test everything, run a scan etc... before marking as solved is that ok? I should be able to get all that done by tomorrow hopefully :)

Thank you guys so much!!
A college student without a pc is as good as a hamburger without cheese...which i just ate two of... no time for groceries at times like these i suppose...

Thank you thank you thank you!

0

I shouldn't be worried about rootkits?

If you mean right now on your machine? Combofix scans for Rootkits and none were found.
No problem with doing more scans before you mark it solved. That's perfectly fine.

0

ok... so explain to me why I shouldn't be worried about rootkits? Do we know there aren't any...or am I taking a chance here?

You should be worried and no we do not know for certain there aren't any.
All we can say with any certainty is that your scans are now clean.

There are people who will tell you that, once a rootkit has been on your machine, you can never trust it again - that is probably a decent assessment.
The only 100% solution to rootkits (and malware in general) is to wipe your hard disc and re-install Windows.

If you really want to dig further, you could try Root Repeal or F-secure's Blacklight. Those are good tools and I'm sure Judy has recommendations as well.
I would try Blacklight and/or Root Repeal....

PP :)

0

If you really want to dig further, you could try Root Repeal or F-secure's Blacklight. Those are good tools and I'm sure Judy has recommendations as well.
I would try Blacklight and/or Root Repeal....

Choice is yours and I agree with PP's recommendations, excellent programs. If you wish to go ahead and do those then of course do that.

0

ok... so do root repeal and blacklight just run in a similar format? are there any special procedures I should know about? I believe you had mentioned root repeal earlier... Are these not always 100% effective at finding things? I'm assuming that's why we recommend a reformat...

I will give one or both of those a shot. I would like to be as thorough as possible. When I finally feel comfortable that all my important stuff is backed up I'll probably reformat anyway...stuff seems to accumulate after so many years...

O and now every time I turn the computer on I get a message that says "Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search help and support for how to start a service manually." It is for windows Defender.

And also, on my "System Configuration Utility" I had disabled fifiyigi.dll, 10188284.exe, and kimokiba.dll as well as ctfmon.exe from startup. I see now that ctfmon is ok, and it re-enabled itself. The others are still disabled and i assume wiped from the system, however the option to enable them is still displayed....Not that it's a huge deal....but is this something I will just have to deal with until a reformat, or is there a way to get rid of that?

I just uninstalled combofix. The AV is running now, then i suppose I'll cross my fingers tomorrow and try connecting to the internet again.

Thanks again

0

I don't know how PP will address this but I will give my feeling here, if you feel you need to reformat because of this infection there really is no point in running these extra programs. I would just go ahead and reformat but if you want to wait awhile then here are the various things you can do.

The listings showing in msconfig start ups have been removed, just those listings remain, not the files. Those files were removed by MBA-M and combofix.
To remove the invalid entries in the System Configuration utility, you need to edit the registry or use a third-party utility. CodeStuffStarter is a very good program to use for this, it is Free.

As for ctfmon.exe it is ok. Yes, there are some infections which can use this NAME for some of it's files but this IS a legitimate Windows File. is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. The normal location for this file is C:\WINDOWS\system32\ctfmon.exe

Here is the link for F-Secure Blacklight

I know PP mentioned Root Repeal also, not sure if that was the one he actually meant, which is a beta (in testing) program or Rootkit Reveal which is a fully released program. So try the Blacklight program only until we get word from him on the other one.

As for the Windows Defender message this simply means it's service has been turned off and it is a VERY common problem with Windows Defender, generally having nothing to do with an infection. Do a google search on it and you will literally find pages of links showing a multitude of others who have the same problem.
You can also check this out using the CodeStuff Starter program. Click the Services Tab and look through the list for Windows Defender. Double Click and set the Start up type to Automatic. Then reboot and see if you still get the message. If so the program itself may be damaged. Let us know on that one.

0

Here is the link for F-Secure Blacklight
I know PP mentioned Root Repeal also, not sure if that was the one he actually meant, which is a beta (in testing) program or Rootkit Reveal which is a fully released program. So try the Blacklight program only until we get word from him on the other one.

No - I meant Root Repeal.
But, let's do Blacklight - It is a bit easier to run.

Download it here:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Follow the instructions here:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/help.html

DO NOT FIX anything - Just post the log for me.

BTW - Here is what F-Secure has to say regarding Rootkits (rather, hidden items):

F-Secure BlackLight found hidden items! What should I do?

If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

First make sure the the hidden items are not a part of some harmless application you have installed on your machine. There are some benign applications that use hiding for various reasons. If after this you are convinced you have a rootkit on your system, you can disable it by using BlackLight's renaming functionality and then proceed with the cleanup. The first thing you should do in these cases is to make a copy of BlackLight's log file in order to make sure you have a list of hidden items at your disposal during cleanup.

If a full re-installation is not an option, removing the necessary hidden items can help in some situations.

You should always remember that not all hidden items BlackLight finds are necessarily malicious. In some cases, removing or renaming an important file could render the computer unusable.

Let us know what you want to do. Honestly, I would say that, given all the tools that have been run, there is a 99% chance your compy is clean - I just can't say %100.

PP :)

0

I agree PP. Frankly there is NO tool that can really give a 100% clean assurance. Sort of like having treatment for an illness. Yes, there are certain treatments that can give you a 99% cure rate but nothing really can say, "take this pill and you will be 100% cured", you just aren't going to get this assurance.
I agree with PP, I personally think your computer is clean, I cannot guarantee it but I do think it is.

0

Haha ok well that sounds great I will try to knock out as much of that tonight as I can.........However.........

I ran my AV this morning...nothing...I haven't updated it since monday though...

As far as MBA-M goes...well I had been running it off of my flash drive, but as of last night it stopped working...something like file 404 not found I believe. I am going to try to re-download that, update and run it again. Then I will get to work on "fixing" windows defender, downloading those other programs you posted earlier and try to run blacklight.

Thanks a lot!

0

I ran my AV last night and.... nothing.... However I haven't updated it since monday, since I haven't connected to the internet.

Lat night MBA-M wasn't working...something like file 404 not found I don't remember exactly what the message was...

I'm going to try to re-download it and then see if it works.

Then I'll fix windows defender hopefully... and I was going to try to download blacklight. None of the links are working though.

First thing first I'm going to try to get MBA-M to work again.

Thanks so much for the help

0

Sorry for posting that twice, it didn't show up for some reason? whoops.

0

Sorry for posting that twice, it didn't show up for some reason? whoops.

:D Hey, it happens to the best of us

:D Hey, it happens to the best of us.

Here's the link again for MBA-M in case you need it.

As far as Windows Defender, well that is your choice but if it were me, and I know it isn't, but I wouldn't break my back trying to get it back on there. But it's up to you.

0

Even after re-downloading and re-installing MBA-M, it won't run.

It says "Run-time error '0'"
then I click OK

and it then says "Run-time error '440': Automation error"

So now what is wrong?

And Windows Defender is already set to Startup type: Automatic

Service status Stopped

What should I try for these now and what should I do about blacklight?

Thanks

0

when I clicked start it says "access denied"

I'm not so worried about making it work... I mostly just don't want to have to click that message every time I start the computer..

Thanks again

0

Download the attached FixMBAM.zip to desktop - extract the folder and DoubleClick on FixMBAM.bat and see if that works.

PP :)

0

It didn't work. I tried restarting my computer, but it still didn't work.

Any suggestions?

0

Did you run BlackLight?

At this point, I'd rather wait and deal with the other problems first.

-- Uninstall BOTH MBA-M and Windows Defender.

-- If you want Windows Defender, Download a fresh copy and reinstall it. Let us know how that shakes out.

-- Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type Malwarebytes and Click OK.

-- You’ll need to save the log that pops up in Wordpad and then submit it for me.

Not sure when I'll have a chance to look at it - busy weekend ahead.

PP:)

0

ok I can try that. Blacklight won't download. It says "The connection to the server was reset while the page was loading."
It says that when I click on any of the links you gave me.

Is there any chance that MBA-M won't run because my AV was on?

0

Is there any chance that MBA-M won't run because my AV was on?

Wow - bad time for Daniweb to take a "maintainace day," huh?

At this point, I have kind of lost track as to what has been done since you uninstalled Combofix.

Maybe we ought to use System Restore to go back to the point set when combofix was removed and go from there...?

I imagine Judy will have some suggestions, too.

I probably won't be back here until Monday night - Hectic weekend!

PP :)

0

Wow - bad time for Daniweb to take a "maintainace day," huh?

At this point, I have kind of lost track as to what has been done since you uninstalled Combofix.

Maybe we ought to use System Restore to go back to the point set when combofix was removed and go from there...?

I imagine Judy will have some suggestions, too.

I probably won't be back here until Monday night - Hectic weekend!

PP :)

I agree with PP, have no idea where we are here. Follow his request for System Restore usage. But just go back to that specific time right after Combofix was removed.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.