WiredWX Hobby Weather ToolsLog in

 


Malware/Spyware problem

2 posters

descriptionMalware/Spyware problem EmptyMalware/Spyware problem

more_horiz
This is my first time here, and I am not very computer literate. My computer is being attacked by something which appears to be called Win32/Nuqel.E and BankerFoxA. I read your info on updating and downloading Java and various other things. However, I'm unable to download anything due to the attack. I can't run anything! I just get the notice that whatever I try to install or run is infected. The only thing I'm capable of doing is getting online, but even that is intermittent. My computer keeps popping up balloons on false anti virus programs and randomly opening up browsers with porno sites. I am running on Windows xp. Please advise...I'm at wits end!

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi endlessands,

Welcome to GeekPolice.net.

My name is Crush but, you can call me Chris too , and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

http://www.GeekPolice.net/virus-spyware-malware-removal-f11/do-you-want-to-learn-how-to-fight-malware-join-GeekPolice-academy-t17111.htm

If you have any questions, please ask, and I will do my best to get to the question promptly.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Thanks! I 'll wait to hear from you. ~Erica

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
What Operating System are you using endlessands? XP, Vista or Windows 7?

EDIT: Nevermind. I should learn to read Goofy

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi endlessands,

Please download and run the following tools:

RKill by Grinler
Version 1
Version 2

  • Download Version 1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Version 2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
This only kills the active infection, the actual infection will not be gone.
======

Once that is done, please immediately do the following

Please download ComboFix Malware/Spyware problem Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Malware/Spyware problem Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Malware/Spyware problem RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Ok, so every time I double click on the rkill (version 2) , a black screen pops up, but so does a separate window that asks me to choose a program to open the file with...not sure what I'm supposed to do

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Did you try Version 1? Same result?

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
same result with version 1

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi again,

We need to repair your file associations so, programs know what to use to open

Please download SREng

  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:
    Malware/Spyware problem SystemRepair_FileAssocs
  • In your case, it would be .EXE
  • Close SREng now.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Ok, followed the directions and the system repair window showed that everything is "normal." There were no errors.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi Erica,

Do you by chance have access to another PC and a USB drive or CD's? Just something to put files on so we can run them on the infected computer?

Before going that route please try this first:

Please download ComboFix Malware/Spyware problem Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Malware/Spyware problem Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Malware/Spyware problem RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
ComboFix 10-06-06.01 - Erica 06/06/2010 12:29:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -7:00]
Running from: c:\commy.exe\ComboFix.exe
Command switches used :: ComboFix
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Erica\Application Data\Dealio
c:\documents and settings\Erica\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erica\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erica\g2mdlhlpx.exe
c:\documents and settings\Tim\Application Data\Dealio
c:\documents and settings\Tim\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Tim\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\FF\chrome.manifest
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul
c:\program files\Dealio Toolbar\FF\chrome\content\login.js
c:\program files\Dealio Toolbar\FF\chrome\content\login.xul
c:\program files\Dealio Toolbar\FF\chrome\content\parser.js
c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.properties
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css
c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css
c:\program files\Dealio Toolbar\FF\components\config.ini
c:\program files\Dealio Toolbar\FF\components\dealioToolbarFF.dll
c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\install.rdf
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\chrome.manifest
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.xul
c:\program files\Dealio Toolbar\SSFF\chrome\content\protection.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\utils.js
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Dealio Toolbar\SSFF\chrome\skin\yahoo.xml
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearch.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFHelperPreferences.xpt
c:\program files\Dealio Toolbar\SSFF\components\SearchSettingsFF.dll
c:\program files\Dealio Toolbar\SSFF\components\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\install.rdf
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\windows\Cursors\tenofni.bak1
c:\windows\Cursors\tenofni.bak2
c:\windows\Cursors\tenofni.ini
c:\windows\PRAGMAcviqnrdmsh
c:\windows\PRAGMAcviqnrdmsh\pragmabbr.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAc.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAcfg.ini
c:\windows\PRAGMAcviqnrdmsh\PRAGMAd.sys
c:\windows\PRAGMAcviqnrdmsh\pragmaserf.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAsrcr.dat
c:\windows\PRAGMAiymxvsluti
c:\windows\PRAGMAiymxvsluti\pragmabbr.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAc.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAcfg.ini
c:\windows\PRAGMAiymxvsluti\PRAGMAd.sys
c:\windows\PRAGMAiymxvsluti\pragmaserf.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAsrcr.dat
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\bowyxgk.sys
c:\windows\system32\drivers\iokm.sys
c:\windows\system32\drivers\mnein.sys
c:\windows\system32\drivers\veknjkk.sys
c:\windows\SYSTEM32\rqtss.bak1
c:\windows\SYSTEM32\rqtss.bak2

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAcviqnrdmsh
-------\Legacy_PRAGMAcviqnrdmsh
-------\Service_PRAGMAiymxvsluti
-------\Legacy_PRAGMAiymxvsluti
-------\Legacy_kowk
-------\Legacy_kucsp
-------\Legacy_upwq
-------\Legacy_ydsbnmqs
-------\Service_kowk
-------\Service_kucsp
-------\Service_upwq
-------\Service_ydsbnmqs


((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 18:53 . 2010-06-06 18:54 -------- d-----w- C:\commy.exe
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\Erica\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 03:34 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 20:38 . 2010-06-06 01:51 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk
2010-06-04 02:32 . 2010-06-04 02:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:\program files\iLike
2010-06-02 15:36 . 2010-06-02 15:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-10 17:21 . 2010-05-10 17:21 -------- d-----w- c:\windows\system32\BWKDLogs
2010-05-10 17:15 . 2010-05-10 17:15 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\KodakGallery
2010-05-10 17:05 . 2010-05-10 17:05 -------- d-----w- c:\program files\Common Files\Kodak
2010-05-10 16:58 . 2010-05-15 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-10 16:06 . 2010-05-10 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:13 . 2007-03-05 01:07 -------- d-----w- c:\documents and settings\Erica\Application Data\SiteAdvisor
2010-06-06 05:20 . 2007-06-14 18:31 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2010-06-06 05:20 . 2007-06-14 18:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-06-06 01:44 . 2007-03-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 20:52 . 2007-03-08 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 04:48 . 2007-12-29 18:45 -------- d-----w- c:\documents and settings\Erica\Application Data\Apple Computer
2010-06-03 03:04 . 2009-12-24 16:43 -------- d-----w- c:\program files\iTunes
2010-05-01 04:59 . 2009-05-04 16:33 -------- d-----w- c:\program files\Citrix
2010-04-28 00:16 . 2010-03-15 23:36 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-03-15 23:36 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-03-15 23:36 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-03-15 23:36 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-03-15 23:36 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-03-15 23:36 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-03-15 23:36 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16 . 2010-03-15 23:36 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2007-03-05 01:05 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2007-03-05 01:05 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-19 13:11 . 2010-04-19 13:11 -------- d-----w- c:\documents and settings\Tim\Application Data\Apple Computer
2010-04-18 13:50 . 2007-06-02 23:15 -------- d-----w- c:\documents and settings\Erica\Application Data\Yahoo!
2010-04-18 13:50 . 2007-05-04 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-14 22:59 . 2010-04-14 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:\program files\iPod
2010-04-14 22:55 . 2010-02-05 04:59 -------- d-----w- c:\program files\Common Files\Apple
2010-04-14 22:43 . 2004-04-17 18:43 -------- d-----w- c:\program files\QuickTime
2010-04-14 22:32 . 2010-04-14 22:32 -------- d-----w- c:\program files\Bonjour
2010-04-14 22:28 . 2010-04-14 22:28 -------- d-----w- c:\program files\Safari
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2006-07-21 12:31 . 2006-07-21 12:31 141728 ----a-w- c:\program files\MC
2010-04-28 00:16 . 2010-03-15 23:36 24376 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-07-14 53248]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-07-16 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-18 185896]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-12-30 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
NkbMonitor.exe.lnk - c:\documents and settings\Erica\My Documents\NkbMonitor.exe [2007-6-16 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/15/2010 4:36 PM 82952]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 1:51 AM 380928]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/15/2010 4:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [3/15/2010 4:36 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/15/2010 4:36 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/15/2010 4:36 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S0 ewkdfyk;ewkdfyk;c:\windows\system32\drivers\ngfmkbx.sys --> c:\windows\system32\drivers\ngfmkbx.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/15/2010 4:36 PM 83496]
S3 NUVision;NUVision II Video Service;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [10/10/2004 1:01 PM 153760]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Erica\Application Data\Mozilla\Firefox\Profiles\jv7t3avb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=135963&p=
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Protection Center - c:\program files\Protection Center\cntprot.exe
HKCU-Run-rrsjeixo - c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk\dcbechitssd.exe
HKLM-Run-rrsjeixo - c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk\dcbechitssd.exe
Notify-infonet - c:\windows\Cursors\infonet.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?: /RegServer????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A960\dlbfbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-06 13:15:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-06 20:15

Pre-Run: 3,285,716,992 bytes free
Post-Run: 3,746,414,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 647910F6E9D3ACA54AD48A67FC4641CB

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi Erica,

First, please copy (ctrl+c) and paste (ctrl+v) combofix.exe from c:\commy.exe\ to the Desktop
========

Next we need to re-run ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk

    Driver::
    ewkdfyk

    File::
    c:\windows\system32\drivers\ngfmkbx.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Malware/Spyware problem Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Sorry, but I don't understand this 1st instruction:

(First, please copy (ctrl+c) and paste (ctrl+v) combofix.exe from c:\commy.exe\ to the Desktop)

I know how to copy and paste, just a little unclear on exactly what I'm copying and pasting to what.
I went to the c drive from my computer, and located a file by the name of commy.exe when I double click on it, there is another file by the name of iexplore... There is also a ComboFix icon on my desktop which I put there previously to do the last scan.
I already disabled my McAfee ant virus program (and firewall).

I apologize for my lack of computer knowledge...bear with me please! Thanks

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
Hi,

EDIT: Combofix.exe currently resides on your desktop? then, disregard the below and move on to the next step. I was going off of the information in the log provided that said ComboFix was running from within a folder.
====

Not a problem at all Smile.... The issue is: Combofix is currently running from within a folder.

When you browse to c:\commy.exe\ the folder, you should see ComboFix.exe within that folder.

It will look like this: Malware/Spyware problem Combofix

You need to copy and paste that from within the folder it is currently and put it on your Desktop (where all your icons and start menu is)

This is purely for ease of use as the instructions I gave you call for creating a text file and dragging it into combofix's icon. This is much easier when on the desktop.

As always, if you have any questions or issues feel free to ask Smile...

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum