|
Re: Please Help Remove Google Redirect Malware:Skynet
Hi Catbyte,
Infinite thanks for helping me. I greatly appreciate your time. Below I've cut and pasted the log results, but I think I pretty much botched the run. Sorry. Although the menu descriptions were a little off, I was able to disable teatimer. I don't think I did an adequate job with the CA suite, however. I simply exited the running programs, not thinking about the possibility of a reboot (duh!). Combofix was doing its thing just fine when it showed I had root kit issues, indicated it had to reboot and asked me to write down the following files for reference:
C:\windows\system32\drivers\SKYNETwilannbm.sys
C:\windows\system32\SKYNETnreeicbv.dll
C:\windows\system32\SKYNETdeiufjwc.dat
C:\windows\system32\SKYNETspmevwbw.dll
C:\windows\system32\SKYNETqdhoetb.dat
Upon reboot, things went badly. Received an error that said the contents of folder c:\windows\erdnt\HIV-backup could not be completely deleted.
It continued saying it needed to run a deeper scan. A few seconds later the computer crashed. The blue screen was up for too short a time to read the lengthy message.
Upon reboot there was a windows recovered from critical error message. Combofix continued, but began having additional errors, "NRCMDC is not recognized as an internal or external command, operablr program or batch file" Access was denied to a couple of files and there was a message about 0 files being copied.
Combofix then froze. I rebooted again. It resumed and created the following log file.
I've since figured out how to fully disable CA and assume I'll need to rerun Combofix, perhaps after reboot from the restore point. However, since I obviously don't have a clue as to what I'm doing I will await further instruction. Thanks again and sorry I screwed that one up. I appreciate your help and your patience.
All the best,
Thurston
ComboFix 09-06-24.05 - Eric 06/25/2009 8:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.213 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.
/wow section not completed
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETwilannbm.sys
c:\windows\system32\icqmlib.exe
c:\windows\system32\iepref32.dll
c:\windows\system32\ierplc.dll
c:\windows\system32\ips.dll
c:\windows\system32\koos.exe
c:\windows\system32\kprof
c:\windows\system32\lanmandrv.sys
c:\windows\system32\lanmanwrk.exe
c:\windows\system32\laprxy.dllexe
c:\windows\system32\ocxapi.dll
c:\windows\system32\ocxloader.exe
c:\windows\system32\poof
c:\windows\system32\qmopt.dll
c:\windows\system32\SKYNETdeiufjwc.dat
c:\windows\system32\SKYNETnreeicbv.dll
c:\windows\system32\SKYNETqdhoextb.dat
c:\windows\system32\SKYNETspmevwbw.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.
2009-06-24 18:57 . 2009-06-24 18:57 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WinZip
2009-06-24 18:56 . 2009-06-24 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-06-23 15:12 . 2009-06-23 15:12 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-06-23 15:12 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 15:12 . 2009-06-23 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 15:12 . 2009-06-23 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 15:12 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 14:44 . 2009-06-23 14:44 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 03:21 . 2008-10-12 15:22 -------- d-----w- c:\documents and settings\Eric\Application Data\CallingID
2009-06-23 13:21 . 2008-10-12 18:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 13:21 . 2008-10-12 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 15:32 . 2004-04-22 16:38 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 17:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-24 18:56 . 2009-04-24 18:00 880560 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-04-24 18:56 . 2009-04-24 18:00 108368 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-04-24 18:56 . 2008-10-12 16:51 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-04-24 17:55 . 2009-04-24 17:28 112716144 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\CCube\tmp\DAE28645C536241BEA137E87E6C9DF86.exe
2009-04-17 12:26 . 2004-04-22 16:38 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-23 16:19 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
c:\windows\system32\svchost.exe ... Infected -- Win32.Qhost !!
"c:\windows\system32\ws2_32.dll" is infected
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PowerBar"="c:\program files\CyberLink\PowerStarter\PowerBar.exe" [2004-04-08 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-29 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-17 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-11-14 62464]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Config2500.lnk - c:\program files\Config2500\Utility\Config2500.exe [2005-2-24 565248]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-12-14 1376256]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe"
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
"capfupgrade"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
"capfasem"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
"cafw"=c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.510\QOELoader.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [8/25/2008 2:18 PM 52728]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [12/12/2008 12:37 PM 115704]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [4/24/2009 1:00 PM 128240]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [12/12/2008 12:37 PM 144376]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [7/30/2008 12:38 PM 58872]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [4/22/2004 12:21 PM 187668]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [4/22/2004 12:21 PM 5817]
S2 QQORQRTV;QQORQRTV;c:\windows\system32\drivers\QQORQRTV.sys [11/7/2008 10:39 PM 178176]
S3 CB102;D-Link DFE-680TXD DirectPort CardBus Driver;c:\windows\system32\drivers\cb102.sys [4/23/2004 3:01 PM 37916]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [5/3/2004 11:25 AM 24618]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [10/12/2008 10:22 AM 222448]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Power2GoExpress - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
TCP: {1841E1FF-BAC0-4999-B722-6BBB27478B84} = 10.10.1.22,10.10.1.19
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://12.107.134.185/JpegInst.cab
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'explorer.exe'(2508)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-25 8:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 13:40
Pre-Run: 31,416,881,152 bytes free
Post-Run: 31,383,609,344 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
183 --- E O F --- 2009-06-10 16:25
|