Jump to content

DiscoLu

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi! Thanks for your reply, and sorry for the delay. (I've been sick and out of pocket.) The update seems to have done the trick. (Boy, that was embarrassingly obvious!) My scan is coming up clean. To be safe, here are my logs: ------------------------------------ Malwarebytes' Anti-Malware 1.41 Database version: 2964 Windows 5.1.2600 Service Pack 3 10/14/2009 11:31:33 PM mbam-log-2009-10-14 (23-31-33).txt Scan type: Quick Scan Objects scanned: 101385 Time elapsed: 3 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:32:57 PM, on 10/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\LEXPPS.EXE D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Java\jre6\bin\jqs.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\PROGRA~1\AVG\AVG8\avgemc.exe D:\PROGRA~1\AVG\AVG8\avgrsx.exe D:\PROGRA~1\AVG\AVG8\avgnsx.exe D:\Program Files\AVG\AVG8\avgcsrvx.exe D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\Java\jre6\bin\jusched.exe D:\WINDOWS\RTHDCPL.EXE D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Lexmark 1200 Series\lxczbmgr.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\Lexmark 1200 Series\lxczbmon.exe D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\PROGRA~1\AVG\AVG8\avgtray.exe D:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe D:\Program Files\Linksys\WUSB600N\WUSB600N.exe D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe D:\WINDOWS\System32\svchost.exe D:\Documents and Settings\Chris\Desktop\mplayerc.exe D:\WINDOWS\system32\divxsm.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - D:\WINDOWS\system32\dvmurl.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [XboxStat] "d:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark 1200 Series] "D:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iSUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [GEST] m
  2. Hi! It's my first time posting, so I hope I'm posting in the right place. I had a fairly nasty virus in the last day, and I've been able to get most of my functionality back using ComboFix, but I can't shake a malware notification from MalwareBytes, "UpdatesDisableNotify." I'm afraid I'm still vulnerable with this. Anyone have a suggestion on how to proceed? Big thanks in advance. Here are my full MalwareBytes and ComboFix logs: ---------------------------------------------- M-Bytes: Malwarebytes' Anti-Malware 1.38 Database version: 2310 Windows 5.1.2600 Service Pack 3 10/10/2009 5:08:39 PM mbam-log-2009-10-10 (17-08-37).txt Scan type: Quick Scan Objects scanned: 88992 Time elapsed: 1 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ---------------------------------------------- ComboFix ComboFix 09-10-10.01 - Chris 10/10/2009 16:54.6.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2643 [GMT -4:00] Running from: d:\documents and settings\Chris\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of d:\windows\system32\drivers\dtscsi.sys was found and disinfected Kitty ate it smile.gif . ((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 ))))))))))))))))))))))))))))))) . 2009-10-04 08:13 . 2009-10-10 20:57 -------- d-----w- d:\documents and settings\Chris\Application Data\8791804545 2009-10-03 19:52 . 2009-10-03 19:52 90624 ----a-w- d:\windows\VSUNINST.EXE 2009-09-29 03:52 . 2009-09-29 11:26 -------- d-----w- D:\RICKY_GERVAIS_MEETS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-04 14:17 . 2009-09-03 04:15 282528 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-10-03 19:48 . 2009-02-17 01:11 -------- d-----w- d:\program files\Steam 2009-10-03 19:32 . 2009-02-17 13:08 16608 ----a-w- d:\windows\gdrv.sys 2009-09-29 03:51 . 2009-02-22 16:43 -------- d-----w- d:\documents and settings\Chris\Application Data\Vso 2009-09-26 15:42 . 2009-06-26 15:42 49664 --sha-w- d:\windows\system32\tikitizo.dll 2009-09-26 14:54 . 2009-09-26 14:54 1081380 ---h--w- d:\windows\system32\BIT2.tmp 2009-09-25 12:50 . 2009-02-28 13:50 -------- d-----w- d:\program files\PeerGuardian2 2009-09-25 12:49 . 2009-02-22 14:35 -------- d-----w- d:\documents and settings\Chris\Application Data\uTorrent 2009-09-17 12:59 . 2009-05-18 17:46 -------- d-----w- d:\documents and settings\Chris\Application Data\Skype 2009-09-17 12:41 . 2009-05-18 17:48 -------- d-----w- d:\documents and settings\Chris\Application Data\skypePM 2009-09-15 04:53 . 2009-02-17 00:27 43800 ----a-w- d:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-03 04:21 . 2009-09-03 04:21 -------- d-----w- d:\program files\WBFS 2009-09-03 04:15 . 2009-09-03 04:15 -------- d-----w- d:\program files\MSBuild 2009-09-03 04:14 . 2009-09-03 04:14 -------- d-----w- d:\program files\Reference Assemblies 2009-08-29 13:27 . 2009-08-29 13:27 -------- d-----w- d:\program files\CDisplay 2009-08-27 23:52 . 2009-08-27 23:52 410984 ----a-w- d:\windows\system32\deploytk.dll 2009-08-27 23:52 . 2009-08-27 23:52 -------- d-----w- d:\program files\Java 2009-08-27 21:41 . 2009-02-18 02:21 11952 ----a-w- d:\windows\system32\avgrsstx.dll 2009-08-27 21:41 . 2009-02-18 02:21 335240 ----a-w- d:\windows\system32\drivers\avgldx86.sys 2009-08-27 21:41 . 2009-02-18 02:21 27784 ----a-w- d:\windows\system32\drivers\avgmfx86.sys 2009-08-14 00:01 . 2004-08-04 03:14 182656 ------w- d:\windows\system32\drivers\ndis.sys 2009-07-24 12:15 . 2009-07-24 12:12 8 ----a-w- d:\windows\system32\nvModes.dat 2009-07-16 02:21 . 2003-10-17 17:44 499712 ----a-w- d:\windows\system32\msvcp71.dll 2009-07-16 02:21 . 2003-10-17 17:44 348160 ----a-w- d:\windows\system32\msvcr71.dll 2009-06-26 15:42 . 2009-06-26 15:42 319456 --sha-w- d:\windows\system32\bikehizi.exe 2009-06-26 15:42 . 2009-06-26 15:42 49664 --sha-w- d:\windows\system32\mokosuha.dll.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GEST"="m
  3. Thanks for all your help. Strangely, that command isn't working, though. When I do it, it says "Windows cannot find ComboFix." Strange. Any other way around it???
  4. Hi! I've had a hell of a time trying to shake the uacinit.dll Rootkit. First it was blocking M-bytes, so I learned on the forum how to get around that ... then it wouldn't erase, so I read on the forums to run Combofix. It's no longer showing up on an M-bytes scan, but I'm still a bit nervous. I'm hoping someone can take a look at my logs to see if there's anything else I should be getting rid of. Posted are: M-bytes, hijackthis and Combofix. Any help anyone can offer is much, much appreciated!!!!! Malware Bytes: Malwarebytes' Anti-Malware 1.38 Database version: 2310 Windows 5.1.2600 Service Pack 3 6/21/2009 3:37:14 PM mbam-log-2009-06-21 (15-37-14).txt Scan type: Quick Scan Objects scanned: 83180 Time elapsed: 2 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:37:42 PM, on 6/21/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\LEXBCES.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\LEXPPS.EXE D:\Program Files\Avira\AntiVir Desktop\sched.exe D:\Program Files\Avira\AntiVir Desktop\avguard.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe D:\Program Files\Bonjour\mDNSResponder.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Citrix\Secure Access Client\nsverctl.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\PROGRA~1\AVG\AVG8\avgemc.exe D:\PROGRA~1\AVG\AVG8\avgrsx.exe D:\PROGRA~1\AVG\AVG8\avgnsx.exe D:\Program Files\AVG\AVG8\avgcsrvx.exe D:\WINDOWS\RTHDCPL.EXE D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\PROGRA~1\AVG\AVG8\avgtray.exe D:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe D:\Program Files\Lexmark 1200 Series\lxczbmgr.exe D:\Program Files\Lexmark 1200 Series\lxczbmon.exe D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe D:\Program Files\iTunes\iTunesHelper.exe D:\Program Files\Avira\AntiVir Desktop\avgnt.exe D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe D:\Program Files\Citrix\Secure Access Client\nsload.exe D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe D:\Program Files\Linksys\WUSB600N\WUSB600N.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\explorer.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - D:\WINDOWS\system32\dvmurl.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [GEST] m
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.