Jump to content

tbeish

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by tbeish

  1. Everything is runnin' smoooooth as far as I can tell... Here's the latest logs: F-Secure Log: Scanning Report Sunday, August 23, 2009 02:25:05 - 03:16:38 Computer name: DINICOLAS Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 4 malware found Generic.Peed.Eml.39CAEFAD (virus) C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\TRASH\YOU'VE RECEIVED A GREETING CARD FROM A NEIGHBOUR!_598_20080120_003249_656.EML (Not cleaned & Submitted) Generic.Peed.Eml.71AD408E (virus) C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\TRASH\YOU'VE RECEIVED A POSTCARD FROM A COLLEAGUE!_540_20080120_003246_000.EML (Not cleaned & Submitted) Generic.Peed.Eml.DA620C5E (virus) C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\INBOX\YOU'VE RECEIVED A GREETING CARD FROM A NEIGHBOUR!_802_20080120_002822_343.EML (Not cleaned & Submitted) Generic.Peed.Eml.71AD408E (virus) C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\INBOX\YOU'VE RECEIVED A POSTCARD FROM A COLLEAGUE!_763_20080120_002819_437.EML (Not cleaned & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 50983 System: 2907 Not scanned: 14 Actions: Disinfected: 0 Renamed: 0 Deleted: 0 Not cleaned: 4 Submitted: 4 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE C:\PROGRAM FILES\WINDOWS DEFENDER\MSMPENG.EXE C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MB.EXE C:\PROGRAM FILES\AVG\AVG8\AVGCSRVX.EXE C:\MGTOOLS\ANALYSE.EXE C:\DOCUMENTS AND SETTINGS\DICKIE\DESKTOP\DICKIE\AUTORUNS\WINLOGON.SCR C:\DOCUMENTS AND SETTINGS\CARISE\DESKTOP\HIJACKTHIS.EXE C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4F7E2D0D77365C3000E013BB758BF41E_03FFA088-78A9-4A82-8C59-725D6DD3EDB2 -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics NOTE: I deleted the 4 malware items F-Secure found along with several of the files it couldn't scan because the file permissions were changed from the rootkit. Security Check Log: Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 8.5 Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: Windows Defender Malwarebytes' Anti-Malware Gmer CCleaner (remove only) Java 6 Update 16 Adobe Flash Player 10 Adobe Reader 9.1 `````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe `````````````````````````````` DNS Vulnerability Check: Unknown. This method cannot test your vulnerability to DNS cache poisoning. `````````End of Log``````````` Thanks again Chris... keep me posted!
  2. Here are the logs... thanks for your help Chris. ComboFix.txt Win32kDiag.txt mbam_log_2009_08_22__13_57_49_.txt
  3. Thanks. Here are some logs of the fixes I've been able to run successfully... ComboFix 09-08-19.0C - Dickie 08/20/2009 17:34.1.1 - NTFSx86 Running from: c:\documents and settings\Dickie\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Carise\Application Data\alot c:\documents and settings\Darien\Application Data\alot c:\windows\Installer\24234c.msi c:\windows\Installer\24234d.msp c:\windows\Installer\24234e.msp c:\windows\Installer\24234f.msp c:\windows\Installer\242350.msp c:\windows\Installer\242351.msp c:\windows\Installer\242352.msp c:\windows\Installer\242353.msp c:\windows\Installer\242354.msp c:\windows\Installer\242355.msp c:\windows\Installer\5144c.msp c:\windows\Installer\5144d.msp c:\windows\Installer\5144e.msp c:\windows\Installer\5144f.msp c:\windows\Installer\51450.msp c:\windows\Installer\51451.msp c:\windows\Installer\51452.msp c:\windows\Installer\51453.msp c:\windows\Installer\51454.msp c:\windows\Installer\51455.msp c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\system32\sysnet.dat Infected copy of c:\windows\system32\scecli.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\scecli.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 ))))))))))))))))))))))))))))))) . 2009-08-20 11:47 . 2009-08-20 11:47 -------- d--h--w- C:\$AVG8.VAULT$ 2009-08-18 18:00 . 2009-08-18 18:00 -------- d-----w- c:\documents and settings\todd\Application Data\Malwarebytes 2009-08-18 04:09 . 2009-08-18 04:10 94701 ----a-w- C:\MGlogs.zip 2009-08-17 21:33 . 2009-08-18 04:10 -------- d-----w- C:\MGtools 2009-08-17 20:23 . 2009-08-18 03:55 117760 ----a-w- c:\documents and settings\Dickie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-08-17 20:23 . 2009-08-17 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\documents and settings\Dickie\Application Data\SUPERAntiSpyware.com 2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-17 18:23 . 2009-08-17 18:23 -------- d--h--w- c:\windows\PIF 2009-08-16 20:22 . 2009-08-16 20:22 -------- d-----w- c:\documents and settings\Carise\Application Data\Malwarebytes 2009-08-16 20:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-16 20:22 . 2009-08-18 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-16 20:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-16 20:20 . 2009-08-16 20:20 -------- d-----w- c:\program files\Windows Defender 2009-08-16 20:18 . 2009-08-16 20:18 -------- d-----w- c:\documents and settings\Carise\Application Data\Canneverbe_Limited 2009-08-16 20:18 . 2009-08-16 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited 2009-08-16 20:17 . 2009-08-16 20:17 -------- d-----w- c:\program files\CDBurnerXP 2009-08-16 20:13 . 2009-08-16 20:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-16 20:13 . 2009-08-16 20:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-08-16 20:13 . 2009-08-16 20:13 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-16 20:13 . 2009-08-16 20:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-16 20:13 . 2009-08-18 17:42 -------- d-----w- c:\windows\system32\drivers\Avg 2009-08-16 20:13 . 2009-08-16 20:13 -------- d-----w- c:\program files\AVG 2009-08-16 20:13 . 2009-08-16 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-16 19:01 . 2009-08-16 19:02 -------- d-----w- c:\program files\QuickTime 2009-08-16 19:00 . 2009-08-16 19:00 -------- d-----w- c:\program files\IrfanView 2009-08-16 18:59 . 2009-08-16 18:59 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-16 18:58 . 2009-08-16 18:58 -------- d-----w- c:\documents and settings\Carise\Application Data\vlc 2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\program files\VideoLAN 2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\documents and settings\Carise\Application Data\ImgBurn 2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\program files\ImgBurn 2009-08-16 18:56 . 2009-08-16 18:56 -------- d-----w- c:\program files\Defraggler 2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\program files\CCleaner 2009-08-16 05:40 . 2009-08-16 05:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-16 00:28 . 2009-08-16 18:21 -------- d-----w- C:\sysclean 2009-08-12 21:55 . 2009-08-12 21:55 -------- d-----w- c:\windows\Recent 2009-08-11 02:39 . 2009-08-11 02:39 19857 ----a-w- c:\documents and settings\Dickie\Application Data\omehara.scr 2009-08-11 02:39 . 2009-08-11 02:39 17505 ----a-w- c:\windows\system32\yvovinos.pif 2009-08-11 02:39 . 2009-08-11 02:39 15373 ----a-w- c:\windows\kisofibed.sys 2009-08-11 02:39 . 2009-08-11 02:39 13998 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\akujoty.bin 2009-08-11 02:39 . 2009-08-11 02:39 13989 ----a-w- c:\windows\guvi.exe 2009-08-11 02:39 . 2009-08-11 02:39 13873 ----a-w- c:\windows\iqejuhap.bin 2009-08-11 02:39 . 2009-08-11 02:39 12676 ----a-w- c:\program files\Common Files\irasetak.bin 2009-08-11 02:39 . 2009-08-11 02:39 12331 ----a-w- c:\windows\yqiqy.com 2009-08-11 02:13 . 2009-08-11 02:13 19499 ----a-w- c:\windows\qodyw.bin 2009-08-11 02:13 . 2009-08-11 02:13 19022 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\ibyvemaly.vbs 2009-08-11 02:13 . 2009-08-11 02:13 18001 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\idac.com 2009-08-11 02:13 . 2009-08-11 02:13 17083 ----a-w- c:\windows\ebirixora.com 2009-08-11 02:13 . 2009-08-11 02:13 16295 ----a-w- c:\documents and settings\All Users\Application Data\iveceneq.com 2009-08-11 02:13 . 2009-08-11 02:13 15222 ----a-w- c:\windows\tegitaked.scr 2009-08-11 02:13 . 2009-08-11 02:13 15163 ----a-w- c:\windows\ymuqenoxej.bin 2009-08-11 02:13 . 2009-08-11 02:13 15059 ----a-w- c:\windows\system32\emapot.sys 2009-08-11 02:13 . 2009-08-11 02:13 12560 ----a-w- c:\windows\system32\roganylyz.dat 2009-08-11 02:13 . 2009-08-11 02:13 11485 ----a-w- c:\program files\Common Files\fowosydoge.com 2009-08-03 00:10 . 2009-08-03 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware 2009-08-03 00:06 . 2009-08-03 00:07 -------- d-----w- c:\documents and settings\Dickie\Application Data\DriverCure 2009-08-03 00:06 . 2009-08-03 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure 2009-08-03 00:06 . 2009-08-03 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-16 20:16 . 2007-01-06 20:34 -------- d-----w- c:\program files\Common Files\Adobe 2009-08-16 18:59 . 2007-01-06 20:33 -------- d-----w- c:\program files\Java 2009-08-16 18:37 . 2007-01-06 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-08-11 04:08 . 2008-07-13 22:45 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat 2009-08-11 02:39 . 2009-08-11 02:39 15609 ----a-w- c:\program files\Common Files\ahuqykebav._sy 2009-08-09 13:19 . 2007-01-06 20:33 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-08-01 17:31 . 2008-11-14 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM 2009-07-20 18:59 . 2007-06-24 00:09 -------- d-----w- c:\documents and settings\Darien\Application Data\LimeWire 2009-07-14 03:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-08-04 04:56 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 19:09 . 2004-08-04 04:56 1291264 ----a-w- c:\windows\system32\quartz.dll 2007-06-21 23:38 . 2007-06-21 23:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-06-21 23:38 . 2007-06-21 23:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-06-21 23:38 . 2007-06-21 23:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2007-06-21 23:38 . 2007-06-21 23:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-06-21 23:39 . 2007-06-21 23:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2007-06-21 23:39 . 2007-06-21 23:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2007-06-21 23:39 . 2007-06-21 23:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll 2007-06-21 23:39 . 2007-06-21 23:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-06-21 23:40 . 2007-06-21 23:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2007-01-06 53248] "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 20:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 df88fa6f;df88fa6f;c:\windows\System32\drivers\df88fa6f.sys [x] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-16 908056] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] R3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\SiriusUSB.sys [2005-09-03 7552] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408] R3 utexnjq5;AVZ Kernel Driver;c:\windows\system32\Drivers\utexnjq5.sys [x] S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-16 335240] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-16 108552] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-16 297752] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Dickie\Application Data\Mozilla\Firefox\Profiles\t6mf1e5h.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-20 17:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(600) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3056) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Canon\IJPLM\ijplmsvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-08-20 17:43 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-20 21:43 Pre-Run: 135,463,813,120 bytes free Post-Run: 135,388,782,592 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect [spybotsd] timeout.old=5 330 --- E O F --- 2009-08-20 17:38 Win32kDiag.txt RootRepeal_report_08_20_09__18_34_43_.txt ComboFix.txt mbam_log_2009_08_20__19_22_59_.txt
  4. I'm cleaning a PC for a friend that wasn't very descriptive of what he got into... So through my normal process I built a new Ultimate Boot CD For Windows with all the latest anti-virus and anti-spyware definitions and scanned the hell out of it with everything: Malwarebytes, SuperAntiSpyware, EZPCFix, Spybot Search & Destroy, virus cleaners etc. I kept running the scans until they came up clean. Next I scanned it with Trend Micro's Sysclean package, once from UBCD4WIN and once from Safe Mode, both times came up clean. I thought I was all set at this point so I booted normally, uninstalled/reinstalled and updated all protection software... AVG Free 8.5, Windows Defender, Malwarebytes. I also logged into each account and ran CCleaner. I tried running Windows Updates, which ran, but the updates failed to install. Not a big deal, I'll deal with that later. Now when I try to run any executable/anti-malware/virus app, it opens, allows me to select what to scan, hit the scan button then "poof" it's gone, no process in Task Manager, nothing. This happens for Malwarebytes, Autoruns, Combofix, etc. in Safe Mode and normal mode. I've tried renaming the files to "whatever.exe, whatever.scr, whatever.bat", doesn't matter, they still won't run. The really weird thing is when you go into the properties of the executable (like mbam.exe) the property tabs now look like it's a DOS app with a "Program" tab, "Memory" tab, etc. and in the Security tab the only object in the ACL is "Everyone" so when you try to double click on the .exe you get a Windows error to the effect of Access Denied or Can't Find File because the security has changed. To get around that I would add the user account I'm logged into into the ACL and it would allow me to run the executable but it still disappears after a few seconds. I'm not getting any pop-ups from any rogue apps and no browser hijacks are happening so it seems I have made some progress but not enough. With the current condition of the machine I'm unable to run HijackThis (I tried) to generate a log file. I've been following suggestions from this forum and a good post on malware removal on majorgeeks to no avail. My next step (when I get back to my workbench) is to run EZPCFix and other registry cleaners from UBCD4WIN to see if I can identify what's killing these executables/processes or pull the drive and slave it in another PC to see what will run on it. I'm trying to avoid having to reload the OS as they have alot of software on the box and this is for a friend so no "payment" has been discussed (yet). Although time-wise I could've reloaded the OS 3 times over by now! Any help on this would be greatly appreciated. If someone can get me to point of getting a successful HJ log I know I can get rid of this!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.