Hi Can someone please look at these logs?

aliEnRIK · 6 February 2010 at 1:13PM

OLD PC ~

Open notepad and copy/paste the text in RED below

File::
c:\windows\hpqins13.dat
c:\windows\hpoins29.dat
c:\users\Ian\AppData\Local\prvlcl.dat
c:\windows\System32\drivers\fssfltr.sys
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\keyManager.dll

Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Taffyscot · 6 February 2010 at 8:27PM

old pc after scanning.

ComboFix 10-02-05.04 - Ian 06/02/2010 18:22:18.3.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.895.302 [GMT 0:00]
Running from: c:\users\Ian\Desktop\qwerty.exe
Command switches used :: c:\users\Ian\Documents\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-06 18:35 . 2010-02-06 18:35

d

w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-02-06 18:35 . 2010-02-06 18:35

d

w- c:\users\Public\AppData\Local\temp
2010-02-06 18:35 . 2010-02-06 18:35

d

w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2010-02-06 18:35 . 2010-02-06 18:35

d

w- c:\users\Default\AppData\Local\temp
2010-02-04 23:16 . 2009-11-25 11:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-04 23:16 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-04 23:16 . 2010-02-04 23:16

d

w- c:\programdata\Avira
2010-02-04 23:16 . 2010-02-04 23:16

d

w- c:\program files\Avira
2010-02-03 19:22 . 2010-02-03 19:22 388096 ----a-r- c:\users\Ian\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-03 19:22 . 2010-02-03 19:22

d

w- c:\program files\TrendMicro
2010-02-01 11:53 . 2010-02-01 12:14 19518 ----a-w- c:\windows\hpqins13.dat
2010-01-19 15:27 . 2010-01-19 15:27

d

w- c:\programdata\Office Genuine Advantage
2010-01-14 16:22 . 2010-01-20 20:50

d

w- c:\programdata\McAfee Security Scan
2010-01-14 16:22 . 2010-01-14 16:22

d

w- c:\program files\McAfee Security Scan
2010-01-14 14:53 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 14:53 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 08:27 . 2009-02-15 21:07 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-05 21:09 . 2009-03-30 14:15

d

w- c:\programdata\Google Updater
2010-02-05 21:04 . 2008-04-06 18:50

d

w- c:\program files\Yahoo!
2010-02-04 23:28 . 2008-05-23 22:31

d

w- c:\programdata\Skype
2010-02-04 23:06 . 2008-08-02 23:15

d

w- c:\programdata\avg8
2010-02-04 22:58 . 2009-02-19 00:16

d

w- c:\users\Ian\AppData\Roaming\DNA
2010-02-03 20:44 . 2009-11-25 00:14 157453 ----a-w- c:\windows\hpoins29.dat
2010-02-03 20:39 . 2008-04-06 19:47 2260 ----a-w- c:\users\Ian\AppData\Roaming\wklnhst.dat
2010-02-03 20:37 . 2009-09-24 20:47

d

w- c:\programdata\HP
2010-02-01 20:17 . 2008-05-31 00:39 5216 ----a-w- c:\users\Ian\AppData\Local\d3d9caps.dat
2010-02-01 20:11 . 2009-02-26 11:56

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 12:47 . 2008-04-09 01:14

d

w- c:\program files\YahELite
2010-02-01 11:53 . 2010-02-01 11:53 262144 ----a-w- c:\programdata\ntuser.dat
2010-01-29 13:58 . 2009-03-06 18:57

d

w- c:\program files\Google
2010-01-21 10:26 . 2008-12-02 00:53

d

w- c:\program files\Microsoft Silverlight
2010-01-20 20:50 . 2009-11-25 00:32

d

w- c:\programdata\HP Product Assistant
2010-01-16 16:22 . 2008-08-06 00:09

d

w- c:\programdata\McAfee
2010-01-16 08:41 . 2008-08-08 20:16 0 ----a-w- c:\users\Ian\AppData\Local\prvlcl.dat
2010-01-16 00:01 . 2008-05-23 22:35

d

w- c:\users\Ian\AppData\Roaming\skypePM
2010-01-15 09:14 . 2006-11-02 11:18

d

w- c:\program files\Windows Mail
2010-01-14 17:51 . 2008-08-24 20:06

d

w- c:\programdata\NOS
2010-01-14 11:12 . 2009-11-05 12:29 181120

w- c:\windows\system32\MpSigStub.exe
2010-01-07 16:07 . 2009-02-26 11:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-02-26 11:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-21 22:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 22:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 22:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 22:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-10-23 18:22 . 2007-10-23 18:22 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"filehippo.com"="c:\program files\filehippo.com\UpdateChecker.exe" [2008-10-02 147456]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-05-31 326440]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2007-06-22 204908]
"SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2007-06-05 548864]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-03 122368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-05 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-06 185896]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-1-31 245760]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-9-14 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
TL-WN321G Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN321G Wireless Utility\Installer\Win2k\TWCU.exe [2008-4-7 622592]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-4-29 434176]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):41,75,95,63,e7,3d,ca,01
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [14/09/2007 03:58 269448]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/02/2010 23:16 108289]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [21/02/2009 16:30 47640]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\System32\drivers\RTL8187B.sys [19/07/2007 00:40 281088]
R3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRKMD.sys [14/09/2007 02:53 454520]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [14/09/2007 02:53 46592]
S2 gupdate1c9b142ce89b221;Google Update Service (gupdate1c9b142ce89b221);c:\program files\Google\Update\GoogleUpdate.exe [30/03/2009 14:21 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [28/05/2008 14:38 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [11/11/2009 00:49 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [26/02/2008 09:17 493568]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [26/05/2008 07:53 80744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-02-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-06 14:15]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 14:21]
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 14:21]
2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{0A025761-1C77-4FBE-9169-6C96DF54EBD5}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.

Supplementary Scan

.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} - hxxp://docs.cyberlink.com/acer/arcade/prog/UpdateAdvisorV2.cab
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\reu28967.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 18:36
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'Explorer.exe'(3752)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
Completion time: 2010-02-06 18:42:30
ComboFix-quarantined-files.txt 2010-02-06 18:42
ComboFix2.txt 2010-02-06 11:04
ComboFix3.txt 2010-02-03 01:59
Pre-Run: 20,995,923,968 bytes free
Post-Run: 20,960,989,184 bytes free
- - End Of File - - 8AB66967E984674AC397D9F57A417951

Taffyscot · 6 February 2010 at 8:31PM

Browntoa wrote: »

removal tools

DOWNLOAD LOCATIONS
for Norton Removal Tool 2010.0.5.18:

Softpedia Secure Download (US) [EXE]

DOWNLOAD LOCATIONS
for McAfee Consumer Product Removal Tool 3.0.128.8:

Softpedia Mirror (US) [EXE]
AVG Remover(32bit)
(avgremover.exe)

Thanks for that Brownlea will attempt that now. Thanks again Rik for all the time and effort that you have invested.

aliEnRIK · 6 February 2010 at 11:24PM

For some reason those files wernt deleted

Im wondering if combofixes commands have changed

I noticed that the time it DID work you called the file
Command switches used :: c:\users\Dorothy\Documents\cfscript.txt
(Small letters)

The 2nd time when it didnt work ~
Command switches used :: c:\users\Ian\Documents\CFScript.txt
(As I asked you to)

Unless you know of a reason why it didnt work (Didnt copy and paste it exactly?) then try the lower case txt log instead

Hi Can someone please look at these logs?

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free