1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive virus infection

Discussion in 'Malware and Virus Removal Archive' started by deangmoxon, 2011/03/20.

Thread Status:
Not open for further replies.
  1. 2011/03/20
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    [Inactive] virus infection

    i gotta virus from an MMA site
    i can't open malwarebytes to clean it
    i cant even open firefox and i don't even know how i have this firefox window open when i try to open any programs a window opens up asking which program i want to open it with
    occasional tabs open up
    a request for an adobe install window opens up occasionally
    waddoo i do ?
    i have windows xp pro
     
    deangmoxon,
    #1
  2. 2011/03/20
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    You know the drill...
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2011/03/20
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i cannot do any of the things on the to-do-list
    i cannot open malwarebytes or download it
    or any of the others things too
     
    deangmoxon,
    #3
  5. 2011/03/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download and run exeHelper.

    • Please download exeHelper from Raktor to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ===============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2011/03/20
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i started the comp in safe mode
    and cleaned the virus with malwarebytes
    so i think the problem is gone
    thanx
     
    deangmoxon,
    #5
  7. 2011/03/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It doesn't work that way.
    I need to see all logs.
     
    broni,
    #6
  8. 2011/03/25
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    ComboFix 11-03-23.03 - Administrator 03/23/2011 12:31:26.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.632 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 05:01 . 2011-03-23 05:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9479806C-709D-4284-8981-00B151CC4C2B}\MpKslb4d7b135.sys
    2011-03-23 05:00 . 2011-02-23 17:35 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9479806C-709D-4284-8981-00B151CC4C2B}\mpengine.dll
    2011-03-21 01:27 . 2011-03-21 01:28 -------- d-----w- c:\program files\Microsoft Security Client
    2011-03-21 00:38 . 2011-03-21 00:38 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-03-20 07:39 . 2011-03-20 07:39 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
    2011-03-20 06:00 . 2011-03-22 00:01 0 ----a-w- c:\windows\Htaseyekitenimiq.bin
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2004-08-04 05:56 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 05:56 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-03 01:11 . 2010-11-16 20:16 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-02 07:58 . 2009-05-03 23:57 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-05-03 23:57 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 05:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 04:17 1854976 ----a-w- c:\windows\system32\win32k.sys
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 06:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update "= "c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-29 136176]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-10 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-08 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-10-12 23:28 1282048 ----a-w- c:\windows\system32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitComet\\BitComet.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12316:TCP "= 12316:TCP:BitComet 12316 TCP
    "12316:UDP "= 12316:UDP:BitComet 12316 UDP
    "1691:TCP "= 1691:TCP:BitComet 1691 TCP
    "1691:UDP "= 1691:UDP:BitComet 1691 UDP
    "18725:TCP "= 18725:TCP:BitComet 18725 TCP
    "18725:UDP "= 18725:UDP:BitComet 18725 UDP
    .
    R1 MpKslb4d7b135;MpKslb4d7b135;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9479806C-709D-4284-8981-00B151CC4C2B}\MpKslb4d7b135.sys [3/22/2011 10:01 PM 28752]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/9/2011 9:50 PM 632792]
    S1 MpKslcb5b4081;MpKslcb5b4081;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys [?]
    S2 Dynex DX-WGPNBC WLService;Dynex Wireless Enhanced G NB Card - DX-WGPNBC Service;c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLService.exe [5/3/2009 7:11 PM 49152]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSLB4D7B135
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-03-23 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
    .
    2011-03-23 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\Registry Mechanic\Update.exe [2011-01-10 20:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\in09o4tz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2011-03-23 12:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-2111687655-2146967187-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,ff,b0,1f,e8,19,06,46,b4,05,70,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(896)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2544)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-03-23 12:40:27
    ComboFix-quarantined-files.txt 2011-03-23 19:40
    ComboFix2.txt 2011-03-23 05:00
    .
    Pre-Run: 10,789,822,464 bytes free
    Post-Run: 10,778,914,816 bytes free
    .
    - - End Of File - - 3386825AB40458BB32C3E26FC7031C1D



    exeHelper by Raktor
    Build 20100414
    Run at 16:21:25 on 03/20/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 12:52:18 on 03/23/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--





    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/25/2011 at 12:02:16.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/25/2011 at 12:02:24.
     
    deangmoxon,
    #7
  9. 2011/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I can see, you ran Combofix twice.
    Navigate to C:\Qoobox and post content of ComboFix2.txt log.
     
    broni,
    #8
  10. 2011/03/25
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    ComboFix 11-03-22.04 - Administrator 03/22/2011 21:37:59.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.735 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\OfferBox
    c:\documents and settings\Administrator\Application Data\OfferBox\config.xml
    c:\documents and settings\Administrator\Local Settings\Application Data\{37235335-0967-46CD-BC5F-BCEA47F23F4B}
    c:\documents and settings\Administrator\Local Settings\Application Data\{37235335-0967-46CD-BC5F-BCEA47F23F4B}\chrome.manifest
    c:\documents and settings\Administrator\Local Settings\Application Data\{37235335-0967-46CD-BC5F-BCEA47F23F4B}\chrome\content\_cfg.js
    c:\documents and settings\Administrator\Local Settings\Application Data\{37235335-0967-46CD-BC5F-BCEA47F23F4B}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{37235335-0967-46CD-BC5F-BCEA47F23F4B}\install.rdf
    c:\program files\OfferBox
    c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
    c:\windows\afuyoseg.dll
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\userinit.exe
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 04:13 . 2011-03-23 04:14 -------- d-----w- C:\32788R22FWJFW
    2011-03-21 01:27 . 2011-03-21 01:28 -------- d-----w- c:\program files\Microsoft Security Client
    2011-03-21 00:38 . 2011-03-21 00:38 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-03-20 07:39 . 2011-03-20 07:39 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
    2011-03-20 06:00 . 2011-03-22 00:01 0 ----a-w- c:\windows\Htaseyekitenimiq.bin
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 17:35 . 2011-03-22 22:12 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8E88558-542D-471A-A2B0-89DA71A3A630}\mpengine.dll
    2011-02-09 13:53 . 2004-08-04 05:56 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 05:56 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-03 01:11 . 2010-11-16 20:16 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-02 07:58 . 2009-05-03 23:57 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-05-03 23:57 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 05:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 04:17 1854976 ----a-w- c:\windows\system32\win32k.sys
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-29 06:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update "= "c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-29 136176]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-10 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-08 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-10-12 23:28 1282048 ----a-w- c:\windows\system32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitComet\\BitComet.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12316:TCP "= 12316:TCP:BitComet 12316 TCP
    "12316:UDP "= 12316:UDP:BitComet 12316 UDP
    "1691:TCP "= 1691:TCP:BitComet 1691 TCP
    "1691:UDP "= 1691:UDP:BitComet 1691 UDP
    "18725:TCP "= 18725:TCP:BitComet 18725 TCP
    "18725:UDP "= 18725:UDP:BitComet 18725 UDP
    .
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/9/2011 9:50 PM 632792]
    S1 MpKslcb5b4081;MpKslcb5b4081;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys [?]
    S2 Dynex DX-WGPNBC WLService;Dynex Wireless Enhanced G NB Card - DX-WGPNBC Service;c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLService.exe [5/3/2009 7:11 PM 49152]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-03-23 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
    .
    2011-03-23 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\Registry Mechanic\Update.exe [2011-01-10 20:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\in09o4tz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-Bnoharex - c:\windows\afuyoseg.dll
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 21:52
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-2111687655-2146967187-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,ff,b0,1f,e8,19,06,46,b4,05,70,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(896)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(1656)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLanCfgG.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-22 22:00:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-23 05:00
    .
    Pre-Run: 10,741,448,704 bytes free
    Post-Run: 10,809,069,568 bytes free
    .
    - - End Of File - - 3232DFB3005F32E1916CA1B19B9C506E
     
    deangmoxon,
    #9
  11. 2011/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well :)

    Please, complete all steps listed here: this post

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
    broni,
    #10
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...