Jump to content

Ruzzian

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by Ruzzian

  1. I was able to finally fix the problem. I tried using Sophos anti-rootkit and the malware was able to see it and stop it from running. I then ran it from command prompt and that the did the trick. While running the scan it found a file: windows\system32\addefcebbeefeaaec.dll The only way I was able to remove it was to pull the drive out and install it on my portable USB drive. Once I deleted it and installed the hard drive back I had control to install malwarebytes and surfing websites. Whoever designed this malware must have been brilliant. Hopefully this will help others.
  2. I'm still getting blocked from anything referencing malwarebytes. As soon as I click on a link it shuts down the browser. Does it in IE, firefox, and Crome. I also found that it will prevent autoruns from starting. autoruns.exe Tried superantispyware and it found a couple things (trojan.dropper), but I'm still having the issue.
  3. I have been scouring Google to find some solutions. I tried the following programs that were suggested by different reputable sites and still no luck. System Repair Engineer OTL by OldTimer drweb-cureit ATF_cleaner I also tried CounterSpy since it has a 15 day trial version and it did find Backdoor.bifrost but this still didn't fix the problem
  4. I'm having similar issues as others with installing Malwarebytes. It will never run no matter how I rename the file and I also can not go to any website that references Malwarebytes. I have looked for in device manager for hidden devices and none of the suggestions show up. I have also ran ComboFix and below is the results. This originally was brought to my attention when a program called Alpha Antivirus was somehow installed on the machine. As far as I can tell I have removed it and I can find no references to that program causing this. ComboFix 09-10-27.07 - kdenbeste 10/28/2009 9:07.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1541 [GMT -4:00] Running from: c:\documents and settings\Kim Den Beste\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1356 [VPS 091027-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\_000005_.tmp.dll c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000007_.tmp.dll c:\windows\system32\_000008_.tmp.dll c:\windows\system32\_000009_.tmp.dll c:\windows\system32\_000010_.tmp.dll c:\windows\system32\_000011_.tmp.dll c:\windows\system32\_000012_.tmp.dll c:\windows\system32\_000019_.tmp.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACrnjnwyquva.dll c:\windows\system32\UACymxnuuykds.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NWCWORKSTATION -------\Legacy_UACD.SYS -------\Service_NWCWorkstation -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 ))))))))))))))))))))))))))))))) . 2009-10-28 02:51 . 2009-10-28 02:51 -------- d-sh--w- c:\documents and settings\Administrator.KIM\IETldCache 2009-10-27 21:21 . 2009-10-27 21:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-27 15:14 . 2009-10-27 15:14 193040 ----a-w- c:\windows\system32\lastmon.dll 2009-10-27 15:10 . 2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll 2009-10-27 13:07 . 2009-10-27 13:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-24 20:17 . 2009-10-24 20:17 350208 ----a-w- c:\windows\system32\IEaddonscontrol.dll 2009-10-15 07:00 . 2009-10-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache 2009-10-09 12:14 . 2009-10-09 12:14 -------- d-----w- c:\documents and settings\Kim Den Beste\Application Data\Office Genuine Advantage 2009-10-06 19:28 . 2009-10-06 18:10 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-06 18:21 . 2009-10-06 18:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-10-06 18:10 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-10-06 18:09 . 2009-10-06 18:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-10-06 18:09 . 2009-10-06 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-10-06 18:09 . 2009-10-06 18:09 -------- d-----w- c:\program files\Lavasoft 2009-10-06 18:00 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-10-06 18:00 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-10-06 18:00 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-10-06 18:00 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-10-06 18:00 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-10-06 18:00 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-10-06 18:00 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-10-06 17:59 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe 2009-10-06 17:59 . 2009-10-06 17:59 -------- d-----w- c:\program files\Alwil Software 2009-10-06 17:48 . 2009-10-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-06 17:48 . 2009-10-06 17:49 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-02 21:39 . 2009-10-02 21:39 45 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences2.dat 2009-10-02 21:38 . 2009-10-02 22:22 38 ----a-w- c:\documents and settings\Kim Den Beste\jagex_runescape_preferences.dat 2009-10-02 21:37 . 2009-10-02 21:38 -------- d-----w- c:\windows\.jagex_cache_32 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-23 22:00 . 2006-08-07 12:19 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-10-15 07:03 . 2007-08-21 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-09-25 22:34 . 2009-07-31 14:46 84432 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-22 21:15 . 2009-09-22 21:09 -------- d-----w- c:\program files\Google 2009-09-22 13:27 . 2009-09-22 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-09-20 17:55 . 2009-09-16 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-09-17 22:22 . 2009-09-17 22:22 -------- d-----w- c:\program files\MapPuzzles 2009-09-16 21:40 . 2009-09-16 21:40 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-09-16 21:40 . 2009-09-16 21:39 -------- d-----w- c:\program files\Common Files\Adobe 2009-09-11 14:18 . 2008-12-13 19:35 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2008-12-13 19:35 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-30 18:20 . 2006-08-07 12:12 106608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 08:08 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-26 08:00 . 2004-08-04 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-06 23:24 . 2004-08-04 21:00 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 23:24 . 2004-08-04 21:00 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 23:24 . 2007-08-22 15:34 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 23:24 . 2004-08-04 21:00 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 23:24 . 2004-08-04 21:00 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-06 23:24 . 2004-08-04 21:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 23:23 . 2004-08-04 21:00 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 23:23 . 2007-08-24 13:00 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 23:23 . 2007-04-17 02:43 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 23:23 . 2004-08-04 21:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2008-12-13 19:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2008-12-13 19:35 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2008-12-13 19:35 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728] c:\documents and settings\Administrator.KIM\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728] c:\documents and settings\aserrano\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728] c:\documents and settings\__sbs_netsetup__\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\addefcebbeefeaaec] 2009-10-27 15:10 277007 ----a-w- c:\windows\system32\addefcebbeefeaaec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Kim Den Beste^Start Menu^Programs^StartUp^Vongo Tray.lnk] path=c:\documents and settings\Kim Den Beste\Start Menu\Programs\StartUp\Vongo Tray.lnk backup=c:\windows\pss\Vongo Tray.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\HP\\HPNetworkAssistant\\HPNetworkAssistant.exe"= "c:\\Program Files\\HP Rhapsody\\rhapsody.exe"= "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/6/2009 2:10 PM 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/6/2009 2:00 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/6/2009 2:00 PM 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/27/2008 1:00 PM 24652] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 5:09 PM 133104] --- Other Services/Drivers In Memory --- *Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 18:10] 2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09] 2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 21:09] 2009-10-25 c:\windows\Tasks\Norton Security Scan for kdenbeste.job - c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-27 23:58] 2009-10-28 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aol.com/?src=toolbar uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop uInternet Settings,ProxyOverride = *.local IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Trusted Zone: trinityprep.org\webportal Trusted Zone: yahoo.com\www TCP: {6FF4182C-6FD6-41B3-98B8-E05C36184816} = 208.67.222.222,208.67.220.220 FF - ProfilePath - c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7 FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query= FF - component: c:\documents and settings\Kim Den Beste\Application Data\Mozilla\Firefox\Profiles\6apdhr4j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-28 09:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(992) c:\windows\system32\addefcebbeefeaaec.dll c:\windows\system32\WININET.dll c:\program files\Bonjour\mdnsNSP.dll - - - - - - - > 'explorer.exe'(3540) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\hnetcfg.dll c:\program files\Bonjour\mdnsNSP.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\msdtc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\mqsvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\mqtgsvc.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\combo-fix\CF3203.exe c:\combo-fix\PEV.cfxxe . ************************************************************************** . Completion time: 2009-10-28 9:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-28 13:23 Pre-Run: 82,383,810,560 bytes free Post-Run: 82,340,265,984 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 26075FD5B19638F27C6B8EC656AF7523
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.