Solved Virus blocking system restore and Redirecting Websites

hmmmmm.. this is odd! i went to uninstall combofix, and its not there anymore! neither is the script that you had me do. I never deleted it, nor anything else on the desktop. I checked the log to make sure i didnt accidently run it from another folder and i didnt, it ran from the desktop. Now what?

 

Do you have a folder on C:\ named qoobox?

 

yes i do

 

Ok. Try downloading combofix again, run it, then post up the log please.

 

Ok, pulling my hair out now! Combofix will not download, gets to 99% and says that the disk is locked. Cancel download Y/N. clicked yes, thats all i can do. I went back and ran rkill and exehelper and still wont work

 

ComboFix 10-01-27.03 - nathaniel 01/27/2010 23:05:48.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.636 [GMT -6:00]
Running from: c:\documents and settings\nathaniel\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-28 04:04 . 2010-01-28 04:04 -------- dc----w- C:\util2
2010-01-28 01:57 . 2010-01-28 01:57 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Opera
2010-01-28 01:56 . 2010-01-28 01:56 -------- d-----w- c:\program files\Opera
2010-01-27 23:56 . 2010-01-27 23:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-27 01:18 . 2010-01-27 01:18 503808 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\msvcp71.dll
2010-01-27 01:18 . 2010-01-27 01:18 348160 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\msvcr71.dll
2010-01-27 01:18 . 2010-01-27 01:18 499712 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-590bfc1a-n\jmc.dll
2010-01-27 01:18 . 2010-01-27 01:18 61440 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19841297-n\decora-sse.dll
2010-01-27 01:18 . 2010-01-27 01:18 12800 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19841297-n\decora-d3d.dll
2010-01-26 05:09 . 2010-01-26 05:09 574 -c--a-w- C:\cleanup.bat
2010-01-26 05:09 . 2010-01-26 05:09 135168 -c--a-w- C:\zip.exe
2010-01-26 01:54 . 2010-01-27 00:46 -------- d-----w- c:\program files\Panda Security
2010-01-26 01:08 . 2010-01-26 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-26 01:08 . 2010-01-27 00:47 -------- d-----w- c:\documents and settings\nathaniel\Application Data\SUPERAntiSpyware.com
2010-01-26 01:08 . 2010-01-27 00:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-25 02:57 . 2010-01-25 02:57 388096 ----a-r- c:\documents and settings\nathaniel\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 02:57 . 2010-01-25 02:57 -------- d-----w- c:\program files\TrendMicro
2010-01-25 01:26 . 2010-01-25 01:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-01-20 05:00 . 2010-01-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Malwarebytes
2010-01-20 02:20 . 2010-01-20 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple
2010-01-13 03:29 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-13 03:29 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-13 03:28 . 2010-01-13 03:35 -------- d-----w- c:\program files\Common Files\Apple
2010-01-13 03:27 . 2010-01-13 03:54 -------- d-----w- c:\documents and settings\nathaniel\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 01:18 . 2006-04-07 10:45 -------- d-----w- c:\program files\Java
2010-01-20 01:48 . 2010-01-13 03:33 -------- d-----w- c:\program files\Bonjour
2010-01-20 01:47 . 2010-01-20 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-20 01:47 . 2010-01-13 03:30 -------- d-----w- c:\program files\Apple Software Update
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\program files\QuickTime
2010-01-20 01:47 . 2010-01-13 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-20 01:47 . 2010-01-13 03:35 -------- d-----w- c:\program files\iTunes
2010-01-20 01:46 . 2010-01-13 03:37 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Apple Computer
2010-01-13 03:37 . 2010-01-13 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-13 03:35 . 2010-01-13 03:35 -------- d-----w- c:\program files\iPod
2010-01-05 10:00 . 2005-07-14 15:12 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-07-14 15:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-07-14 15:10 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-22 20:29 . 2009-12-22 20:29 -------- d-----w- c:\documents and settings\nathaniel\Application Data\Unity
2009-12-17 23:14 . 2009-09-20 21:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-06 01:30 . 2006-11-11 19:55 -------- d-----w- c:\program files\Yahoo!
2009-12-06 01:28 . 2009-02-05 23:49 -------- d-----w- c:\program files\Yahoo! Games
2009-12-06 01:28 . 2009-11-24 01:26 -------- d-----w- c:\program files\Amazon
2009-11-21 15:51 . 2005-07-14 15:09 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-05 17:08 . 2009-11-05 17:08 152576 ----a-w- c:\documents and settings\nathaniel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 4662776]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-03-10 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-03-10 126976]
"HPlsKey "= "c:\program files\Panasonic\HPLSMAN\hplskey.exe" [2005-06-01 61440]
"PRunOnce "= "c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"PCinfo "= "c:\program files\Panasonic\PCINFO\SetDiag.exe" [2005-06-15 45056]
"Panasonic HotKey Manager "= "c:\program files\Panasonic\HotKey Appendix\HKEYAPP.EXE" [2005-06-14 974848]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-12-20 88358]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"Motive SmartBridge "= "c:\progra~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 438359]
"Itiva Media Accelerator "= "c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"scroller "= "fpapli.exe" [2005-04-18 81920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Display Rotation Tool.lnk - c:\program files\Panasonic\DispRot\IDRot.exe [2005-7-14 86016]
Panasonic Hand Writing.lnk - c:\program files\Panasonic\WRITING\Writing.exe [2005-7-14 278528]
Software Keyboard.lnk - c:\program files\Panasonic\MEISKB\meiskb.exe [2005-7-14 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HPLSNTF]
2005-06-01 20:02 53248 ----a-w- c:\windows\system32\HPLSNTF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Opera\\opera.exe "=

R2 brecal;Panasonic Battery Recalibration Driver;c:\program files\Panasonic\BRECAL\Brecal.sys [7/14/2005 5:10 PM 7168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2008 10:09 AM 206096]
R2 pcinfo;Panasonic PC Info. Viewer Driver;c:\program files\Panasonic\PCINFO\PCINFO.sys [7/14/2005 5:20 PM 7168]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [7/14/2005 5:21 PM 8192]
R3 FIDMOU;Fujitsu touchpad;c:\windows\system32\drivers\Fidmou.sys [4/18/2005 12:14 PM 23463]
R3 HTKPLUS;Panasonic Hotkey PLUS Driver;c:\windows\system32\drivers\HTKPLUS.SYS [7/14/2005 9:18 AM 8448]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [10/26/2004 4:15 PM 31375]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rsmartc.sys [7/14/2005 9:18 AM 69460]
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-01 17:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\HPLSNtf.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\msv1_0.dll

- - - - - - - > 'explorer.exe'(1860)
c:\windows\system32\WININET.dll
c:\progra~1\Verizon\SMARTB~1\SBHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-27 23:16:00
ComboFix-quarantined-files.txt 2010-01-28 05:15
ComboFix2.txt 2010-01-27 01:48
ComboFix3.txt 2010-01-27 00:31

Pre-Run: 46,945,579,008 bytes free
Post-Run: 47,058,673,664 bytes free

- - End Of File - - F1267786A1687439C717112BE5F9244E

 

Cannot see any problems with that log.

Try the uninstall process again please and let me know how you get on.

 

Restarted computer, reran rkill and exehelper, and this time combofix worked. after that i was able to uninstall bcombofix sucessfully

 

Cool. Now, are you up to running Kaspersky one more time? . Hopefully you come back clean.
Did you do the system restore thing?

 

Yes, I did the system restore thing, and kapersky came back clean! Thanks Again! Sounds like another resolved problem! Thank you so much!

 

You are very welcome.