Solved backdoor win32 cycbot.b

[FCUSA]

Hello!

The only thing I can think of is it wiped your settings. Do you actually have a router? Do you normally set up your internet by typing numbers into your computer rather than a router or similar?

Forget about it for the very moment. Delete your version of ComboFix. Download a new one, and transfer it to your Computer. Run ComboFix, and transfer the log back to the other computer and post please. The log is also stored at C:\ComboFix.txt

Thanks!

Richard

Good morning, Richard -

I have not downloaded ComboFix yet as I lost the internet connection after the reboot from running flush.bat.

I am now hardwired with internet. I think the question that has held us up from downloading ComboFix and running it is 'Should I run the flush.bat file again before downloading and running ComboFix?' The computer has been rebooted a couple times now since that file was run and did not know how critical it was (is) to have these steps in sequence. I just don't want to screw it up.

Thanks!

 

[Lorien]

Hi Sally,

Sorry I misunderstood and glad that's cleared up for good.

As far as the "lost IP" for your wireless, don't bother with ATT yet (besides, in a normal situation you probably get a dynamic IP address rather than a static one, so it would change from time-to-time). For one, until you enable Network Discovery I'm not sure it will work or that they can help (or will help if you won't turn it on). Also, I suspect it is settings in the wireless configuration and we may be able to fix those knowing the ones that work from the cabled connection.

Please follow Richard's instructions before mine as fixing that issue is a higher priority (and either that problem or the process may be causing the network troubles and we can deal with that later).

Here's what I normally give people who have lost data. Some will apply and some won't, but Richard's suggestions should again take priority and we can deal with this BEFORE you clean install.

***************************************************************

First check the Recycle Bin to see if they are there. If so, just restore them and you’re good to go.

If you have Vista Basic or Vista Premium, Shadow Copies is not available; however, there's an alternative that's free and mirrors the functionality of Shadow Copies called Shadow Explorer. http://www.howtogeek.com/howto/windows-vista/recover-files-with-shadow-copies-on-any-version-of-windows-vista/. Though it won't help you this time, it could very well save you in case this happens again.

In case this doesn't work, here are some additional free recovery programs which might help. Files aren't actually deleted until they are overwritten (though they're no longer available through conventional methods). If you decide to try these recovery programs, you should stop using your hard drive immediately so you don't overwrite the data you are trying to recover. Slave it to another PC and run the recovery from that PC. Even now you may have permanently lost some of them if you're using that same PC. If you can't do that (slave to another PC), you run the risk of overwriting the data with every action you do on the PC (but you still may be able to recover some or most or even all of the files - it's a matter of luck). Your situation is, however, different and you should follow Richard's advice in spite of this. Furthermore, since BCM was on the computer itself, I don't know if it can be trusted even if you do recover it and back it up elsewhere to be restored later (that's a question for Richard or Jacee).

http://www.snapfiles.com/Freeware/system/fwdatarecovery.html(try Recuva ONLY - do not purchase any products that aren’t free – here or in any of the other links – I’m just suggesting the FREE options and have had problems with some of the commercial ones)

http://www.snapfiles.com/get/diskdigger.html(try this second - if it doesn’t work either chances of recovery are very slim but you can try the other options if you wish)

http://www.snapfiles.com/get/easusdfr.html

http://www.snapfiles.com/get/restoration.html

http://www.snapfiles.com/downloads/recuva/dlrecuva.html

http://www.softperfect.com/products/filerecovery/

http://techpaul.wordpress.com/2008/06/23/how-to-recover-your-lost-files/

Only you can decide if the data is important enough to take the PC to a data recovery expert to recover the files (they will have better programs and equipment to do so than any of us do and than I provided above). Do NOT go to Geek Squad or any of those big store centers - they mostly don't know what they're doing - take it to a data recovery expert. It will cost quite a bit (I mean, a LOT) and they usually offer no guarantees – you typically pay the same price if they recover everything or if they recover nothing.

The decision is yours.

I hope this helps.

Good luck!

 

[FCUSA]

Hello -

I have run into another problem.

• I ran the flush.bat file
• I downloaded the ComboFix file saved to desktop (had trouble with the first link in Jacee's post, but 2nd link worked well); however the icon did not look the same as the one in the Tutorial
• I disconnected from the internet
• I disabled all the firewalls, McAfee, and background scanners
• Went to run the program and it said Windows could not locate the file (don't ask for a screen shot because we already enabled the security and rebooted)

To disable McAfee I actually had to log in as the administrator, it would not allow me to just run as administrator from the start menu.

Was I supposed to to all this work as the administrator?

I was in the infected user (I remember a previous post saying it was best to run from there). When I went to save ComboFix to desktop, I actually saw two desktops and was confused - I think tree was Desktop, Users, FCUSA, Desktop (hope that was explained properly)

Help, help and help!

 

[Lorien]

Hi FCUSA,

I wish I could, but you're now deep into malware-removal territory where I do not have the expertise with these programs to know how to fix problems when they don't run (or even how to properly run them). I think it all needed to be done as an Administrator - but I'm far from certain. At this stage, I do not know the proper course of action (I'm tempted to guess, but that could make things worse). You need a reply from Richard or Jacee.

Sorry and good luck!

 

[niemiro]

Hello!

Does the internet work on the infected computer? Download ComboFix from the third link, to the Desktop of a non-infected computer, even if the internet now works on the infected one. Check the icon. On the non infected computer, rename Combofix.exe to niemiro.exe. Copy it to the infected computer. Check the icon again. If it is good, run it.

Above this is above my pay-grade

Good luck!

Richard

 

[FCUSA]

Hello!

Does the internet work on the infected computer? Download ComboFix from the third link, to the Desktop of a non-infected computer, even if the internet now works on the infected one. Check the icon. On the non infected computer, rename Combofix.exe to niemiro.exe. Copy it to the infected computer. Check the icon again. If it is good, run it.

Above this is above my pay-grade

Good luck!

Richard

Thank you for responding, Richard

It is now running.

 

[FCUSA]

Hello Richard -

CombFix finished the scan, but not necessarily exactly as the tutorial stated.

It completed 50 stages, then deleted a file (which I believe was an Assistant Remote Access file?)

It has rebooted but unsure if all is done - do I just go into the Administrator where I ran it?

EDIT POST AT 4:30pm est

I opened the administrator user and indeed it apparantly was not done.

There is a pop up window that says:

PEV.cfxxe has stopped working


Choose options

• search online for solutions
• close program

The ComboFix window in the background says:
Preparing Log Report
Do not run any programs

Internet, of course, is still (intentionally) disconnected.

Thank you,
Sally

 

[niemiro]

It sounds as though there has been some success this time. Once it has finished, please copy and paste inline your combofix report, which can be found at C:\ComboFix.txt.

Thanks!

Richard

 

[FCUSA]

Good morning, Richard -

You must really think I am an idiot. Please refer to my previous post. I actually left the computer up all night - I didn't know how to respond to the 'PEV" box that came up - did not want to make the wrong choice if, in deed, we did make progress.

But, your comment makes me feel (a little) better! Please note the choices. I was looking around Bleeping Computer and some other sites last night, but could not find anything. I notice on similiar situations, the instructions were different -ie. 'closing it at the RED X; close the program - so I didn't know which was the way to go.

Sorry I'm late this morning.
Sally

 

[niemiro]

Good morning, Richard -

You must really think I am an idiot. Please refer to my previous post. I actually left the computer up all night - I didn't know how to respond to the 'PEV" box that came up - did not want to make the wrong choice if, in deed, we did make progress.

But, your comment makes me feel (a little) better! Please note the choices. I was looking around Bleeping Computer and some other sites last night, but could not find anything. I notice on similiar situations, the instructions were different -ie. 'closing it at the RED X; close the program - so I didn't know which was the way to go.

Sorry I'm late this morning.
Sally

Hello Sally!

It doesn't matter! Just click Close Program. All should be well. ComboFix is pretty resilient

Good luck!

Richard

 

[FCUSA]

Oh, thank you!

Will get everything posted when done. (barring any other surprises!)

Sally

 

[niemiro]

Oh, thank you!

Will get everything posted when done. (barring any other surprises!)

Sally

You are more than welcome! Hopefully it will all go well now! Believe me when I say that you are in excellent hands with both ComboFix and Jacee!

 

[FCUSA]

ComboFix.txt

I bet you all never thought this day would happen! (I don't really want to say I feel foolish, but the warnings - everywhere - had me concerned and for whatever reason, I thought this program would take hours to run).

Thank you Richard & Lorien so much for the support - in every way! Now, I keep my fingers crossed and hope for the best.

 

[Lorien]

Remember, Jacee is the one to analyze this data and she is still on holiday and may not be back until next year (she told me about taking a holiday but didn't specify how long). So you may now need to be patient and play with your new toy instead while waiting for her to return and give you the news (and/or more procedures).

 

[FCUSA]

Good morning, Lorien -

I realize, but somehow just getting that done feels good. The entire experience has forced me to interact in areas of the computer that I would not ever have considered before. Gaining some knowledge, but mostly making realize how much about the system I do not know. Somehow I was under the false impression that if I just played it safe, I would actually be safe.

Apparently I have much exploring to do (with your assistance, I hope) and work at chiseling away at each issue. I am guessing, it is best if those issues ie Network Discovery, AntiVirus, etc (hell, the list is too long!), gets moved to other forums?

Again, I cannot thank you enough for all that you have done (and hope, continue to do - as trying as I can be at times).

Sally

 

[niemiro]

Hello!

I am posting your ComboFix log as well. It might well help Jacee. Some of our malware researching tools are browser extensions. I don't know whether Jacee uses offline fix generators, or a notepad process and online tools, but posted anyway.

I am a trainee. I cannot help you with your log, now that it has run. Whether I have looked at it to compare what I do, to what Jacee does, as part of my training, is by the by

Anyway, while we wait, can you please tell me what problems remain, and we can start work on those.

Thanks!

Richard

P.S. Really, really well done!

ComboFix 10-12-25.01 - Sally 12/25/2010 14:32:45.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.2799 [GMT -5:00]
Running from: c:\users\Sally\Desktop\niemiro.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Sally\GoToAssistDownloadHelper.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-25 to 2010-12-25 )))))))))))))))))))))))))))))))
.

2010-12-25 19:53 . 2010-12-25 21:20 -------- d-----w- c:\users\Sally\AppData\Local\temp
2010-12-25 19:53 . 2010-12-25 19:53 -------- d-----w- c:\users\Four Corners\AppData\Local\temp
2010-12-25 19:53 . 2010-12-25 19:53 -------- d-----w- c:\users\FCUSA\AppData\Local\temp
2010-12-25 19:53 . 2010-12-25 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-25 19:53 . 2010-12-25 19:53 -------- d-----w- c:\users\David\AppData\Local\temp
2010-12-24 14:27 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8107107D-A024-4734-A8E5-D09966E3C5FC}\mpengine.dll
2010-12-19 21:38 . 2010-12-20 00:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-19 21:38 . 2010-12-19 21:38 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-12-19 17:49 . 2010-12-19 17:49 -------- d-----w- c:\users\David\AppData\Roaming\Malwarebytes
2010-12-19 02:56 . 2010-12-19 02:56 -------- d-----w- c:\users\Four Corners\AppData\Roaming\Malwarebytes
2010-12-19 01:59 . 2010-12-19 01:59 -------- d-----w- c:\users\FCUSA\AppData\Roaming\Malwarebytes
2010-12-19 01:23 . 2010-12-19 01:23 -------- d-----w- c:\users\Sally\AppData\Roaming\Malwarebytes
2010-12-19 01:23 . 2010-12-19 01:23 -------- d-----w- c:\programdata\Malwarebytes
2010-12-19 01:23 . 2010-11-29 22:42 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-19 01:23 . 2010-12-19 01:23 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-12-18 19:37 . 2010-12-18 20:51 -------- d-----w- c:\users\FCUSA\DoctorWeb
2010-12-18 00:56 . 2010-12-18 00:56 -------- d-----w- c:\users\Sally\AppData\Local\Mozilla
2010-12-15 11:47 . 2010-10-28 13:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-12-15 11:47 . 2010-11-04 18:55 352768 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-12-15 11:47 . 2010-11-04 18:55 270336 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-12-15 11:47 . 2010-11-04 16:34 171520 ----a-w- c:\windows\SysWow64\taskeng.exe
2010-12-02 01:10 . 2010-12-02 01:10 -------- d-----w- c:\users\FCUSA\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"FATrayAlert"="c:\program files (x86)\Sensible Vision\Fast Access\FATrayMon.exe" [2008-09-05 95488]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-07-29 128296]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1484856]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]

c:\users\FCUSA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]

c:\users\Four Corners\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]

c:\users\Sally\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-3 1200144]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-09-05 22:16 140544 ----a-w- c:\program files (x86)\Sensible Vision\Fast Access\FALogNot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dldtserv.exe [2008-02-25 34032]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [2008-08-02 243840]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 94864]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-11-14 53488]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-14 75032]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-14 283360]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_70d6d963\AESTSr64.exe [2009-01-19 88576]
S2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe [2008-02-25 1045232]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 FAService;FAService;c:\program files (x86)\Sensible Vision\Fast Access\FAService.exe [2008-09-05 2340096]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-10-22 517632]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 245352]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-14 149032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 62800]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-08-25 59392]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2008-07-29 239104]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 441328]
S3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [2008-12-22 4735488]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-01-13 158592]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-01-13 318656]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 21:40]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 21:40]

2010-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1473747353-500149236-633155806-1004Core.job
- c:\users\FCUSA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-12 21:50]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1473747353-500149236-633155806-1004UA.job
- c:\users\FCUSA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-12 21:50]

2010-12-26 c:\windows\Tasks\User_Feed_Synchronization-{E37D9671-3C14-4FC1-B796-6146BC85E3AF}.job
- c:\windows\system32\msfeedssync.exe [2010-12-15 04:25]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
"combofix"="c:\niemiro\CF21723.cfxxe" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-21 1657128]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2008-09-26 2041112]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 243216]
"dldtmon.exe"="c:\program files (x86)\Dell V305\dldtmon.exe" [2008-03-20 668912]
"dldtamon"="c:\program files (x86)\Dell V305\dldtamon.exe" [2008-03-20 16624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: {0AE99E16-F329-4CB2-824A-211CEDAEF381} = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - hxxp://stores.homestead.com/storeadmin/utilities/pssbedit.cab
FF - ProfilePath - c:\users\Sally\AppData\Roaming\Mozilla\Firefox\Profiles\e5jzuja7.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files (x86)\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-FAStartup - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray64.exe
AddRemove-YInstHelper - c:\windows\system32\regsvr32


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Dell V305\dldtMsdMon.exe
c:\program files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
c:\program files\Logitech\SetPoint\x86\SetPoint32.exe
.
**************************************************************************
.
Completion time: 2010-12-26 06:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-26 11:58

Pre-Run: 364,691,103,744 bytes free
Post-Run: 364,643,565,568 bytes free

- - End Of File - - A5E06C8B755D28DE6543A8DE7DB0B12A

 

[FCUSA]

WOW, that's like being stripped naked in public!

Richard -

I realize you cannot proceed and thank you for getting me to this point. I am pleased to hear a 'thumbs up' on the report. I was concerned about one thing I may have not done properly and that is 'Spybot'. Thank goodness for having the new computer (side by side so I wouldn't miss a beat), but when I reviewed the instructions for disabling Spybot (and saw they referred to 'TeaTimer'), the instructions did not match my version; and I could not verify 'TeaTimer' in anything about the program, so I concluded it was a different version. When I saw the report, I saw it listed - hope I did it right.

My brain right now feels like a file cabinet drawer with a thousand little handwritten notes sticking out!

I guess my first questions simply deal with the use of the infected computer as I am trying not to use it at all except for the processes requested. Did not really mind that I lost the wireless connection as it forced me to stay off line.

I had a backup drive attached when all this started (hard to believe it was only a week ago - I bet hard to believe for everybody else also!)

1. Lorien had me unplug the drive before it was scheduled to back up the following day after the infection. (hoping that data will prove useful).
2. I also copied a sensitive file over to a stick drive (I now have that stick drive isolated) and then immediately deleted the file from the hard drive. (I know I confused Jacee on that).
3. I have downloaded e-mail (just a couple times) and have not sent anything.

Although I have read the info about this virus, I am uncertain how it (or they) really work, spread, infect and considered we were in a 'hold pattern' until this (Jacee's involvement) was resolved. A big question I guess (not sure if it can even be answered at this time) is, 'do you think the Backup Drive was salvaged since it did not yet perform it's weekly backup?

Thank you again for helping me through the process of running ComboFix - everywhere I looked for info had HUGE RED warnings, I simply could not rely on my own (in)abilities to complete!

Sally

 

[niemiro]

WOW, that's like being stripped naked in public!

Do you want it taken down, and left as an attachment? That is perfectly fine.

 

[FCUSA]

No, not at all - I trust your process!

 

[Jacee]

Hi all, I'm still on vacation but stopped by for a bit ...

FCUSA, please rescan with MBam, update it first.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

You need to also update "vulnerable to infection programs", using Secunia's PSI
PSI - Consumer - Products

Please tell me how your computer is acting ... normal or confused, and describe anything still unusual.