rayk09

hi,

I got a jump start on this by reading similar titled emails. So ran combofix and atleast now I am able to browse without any problem but I am not sure if it got rid of the spyware completely.

So here is the log that got saved after a run of combofix. Please let me know what I could I do to clean my laptop of completely of this spyware.

Thanks and appreciate all the help

------
C:\Qoobox\ComboFix-quarantined-files
---------------------------------------
2009-05-04 06:41:04 . 2009-05-04 06:41:04 883 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{E7F15AC4-E0A9-43F0-921B-70DFEA621220}.reg.dat
2009-05-04 06:41:04 . 2009-05-04 06:41:04 882 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{B3FA56CF-B3F9-4328-9802-CFAACEA86646}.reg.dat
2009-05-04 06:41:04 . 2009-05-04 06:41:04 394 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{ABD45510-9B22-41cd-9ACD-8182A2DA7C63}.reg.dat
2009-05-04 06:40:33 . 2008-05-02 07:01:36 90 ----a-w C:\Qoobox\Quarantine\D\AUTORUN.INF.vir
2009-05-04 06:39:29 . 2009-05-04 06:39:29 11,983 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-05-04 06:33:14 . 2009-05-04 06:33:14 421,672 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip
2009-05-04 06:29:49 . 2009-05-04 06:36:09 400 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-05-04 06:18:21 . 2009-05-04 06:18:20 16,896 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\DL32.exe.vir
2009-05-04 06:18:17 . 2009-05-04 06:18:17 15,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\796525\796525.dll.vir
2009-04-24 07:10:27 . 2009-04-24 07:10:27 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.gpref.vir
2009-04-24 07:10:10 . 2009-04-24 07:10:10 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.assembly.vir
2009-04-24 07:10:01 . 2009-04-24 07:09:59 14,848 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\dll32.exe.vir
2009-04-24 07:09:57 . 2009-04-24 07:09:57 15,360 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\179223\179223.dll.vir
2009-04-24 07:07:12 . 2009-04-24 07:07:12 10,752 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\iehelper.dll.vir
2009-04-19 17:42:18 . 2009-04-19 17:41:41 290,832 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\sysguard.exe.vir
2009-04-19 17:41:45 . 2009-04-19 17:41:45 33,792 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rashmi\reader_s.exe.vir
2009-04-19 17:41:45 . 2009-04-19 17:41:45 33,792 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
2009-04-19 17:41:45 . 2009-05-04 06:35:02 275 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lowsec\user.ds.lll.vir
2009-04-19 17:41:45 . 2009-05-04 06:35:13 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lowsec\user.ds.vir
2009-04-19 17:41:45 . 2009-05-04 06:16:12 38,109 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lowsec\local.ds.vir
2009-04-19 17:41:43 . 2009-04-19 17:41:43 16,384 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir

---------------------------

ComboFix 09-05-03.1 - Rashmi 05/03/2009 23:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1262.783 [GMT -7:00]
Running from: c:\documents and settings\Rashmi\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rashmi\reader_s.exe
c:\windows\ld08.exe
c:\windows\sysguard.exe
c:\windows\system32\179223
c:\windows\system32\179223\179223.dll
c:\windows\system32\796525
c:\windows\system32\796525\796525.dll
c:\windows\system32\dl32.exe
c:\windows\system32\dll32.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\reader_s.exe
c:\windows\system32\sdra64.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-24 07:09 . 2009-04-24 07:09 2 ---h--w c:\windows\t55ft2688f44.dat
2009-04-24 07:09 . 2008-10-16 21:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-24 07:09 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-19 08:48 . 2009-04-19 08:48 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 06:36 . 2005-12-05 06:04 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-19 17:42 . 2004-08-12 14:01 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-23 00:32 . 2005-12-17 07:49 32248 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-23 00:31 . 2009-03-23 00:31 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-03-23 00:28 . 2009-03-23 00:26 -------- d-----w c:\program files\Common Files\Intuit
2009-03-23 00:26 . 2009-03-23 00:26 -------- d-----w c:\program files\TurboTax
2009-03-06 14:44 . 2004-08-12 14:03 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-12 14:09 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-12 13:58 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-12 14:04 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-12 13:59 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-12 14:02 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-12 13:55 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-12 14:09 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-12 14:02 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-12 14:05 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-12 14:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-12 14:04 55808 ----a-w c:\windows\system32\secur32.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[-] 2009-04-19 17:42 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-19 17:42 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"="DL32" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2005-12-05 135243]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-05-11 18577448]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-07 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-17 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-12 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-27 180269]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-05 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2008-1-23 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2005-04-04 149952]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2004-08-18 58016]
S1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\Drivers\NEOFLTR_600_13073.SYS [2008-04-30 64160]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2005-04-04 11113]

.
- - - - ORPHANS REMOVED - - - -

BHO-{ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - c:\windows\system32\iehelper.dll
BHO-{B3FA56CF-B3F9-4328-9802-CFAACEA86646} - c:\windows\system32\179223\179223.dll
BHO-{E7F15AC4-E0A9-43F0-921B-70DFEA621220} - c:\windows\system32\796525\796525.dll


.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rashmi\Application Data\Mozilla\Firefox\Profiles\me93n7rt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSWF32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 23:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(436)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-05-04 23:42
ComboFix-quarantined-files.txt 2009-05-04 06:41

Pre-Run: 4,450,902,016 bytes free
Post-Run: 5,411,987,456 bytes free

167 --- E O F --- 2009-04-18 03:01
----------------------------------------

Steviee

TheBruce1

Hello

As Steviee has pointed out you should never run Combofix unless you are advise to do so by a trained analyst. Please follow the instructions below and make make you post the Combofix log along with the Ark and DDS.txt in your first post. Do Not run Combofix again unless you are advise to do so by one of our analysts.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please start a new thread in our Virus/Trojan/Spyware forum along with the required logs

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.