Jump to content

yourguide

Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

 Content Type 

Everything posted by yourguide

  1. yourguide
    I was able to get ComboFix to run... here is the log file from it: ComboFix 09-11-23.01 - tech 11/23/2009 17:51.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.679 [GMT -6:00] Running from: c:\tmp\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\404Fix.exe c:\windows\system32\Agent.OMZ.Fix.exe c:\windows\system32\dumphive.exe c:\windows\system32\IEDFix.C.exe c:\windows\system32\IEDFix.exe c:\windows\system32\o4Patch.exe c:\windows\system32\Process.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\VACFix.exe c:\windows\system32\VCCLSID.exe c:\windows\system32\WS2Fix.exe c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 ))))))))))))))))))))))))))))))) . 2009-11-23 23:03 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-11-23 23:03 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-11-23 23:03 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\program files\Avira 2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-11-23 22:59 . 2009-11-23 22:59 34816 ----a-w- c:\windows\system32\drivers\tt.sys 2009-11-23 22:44 . 2009-11-23 22:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-11-23 22:11 . 2009-11-23 22:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-11-23 22:06 . 2009-11-23 22:06 -------- d-sh--w- c:\documents and settings\tech\IETldCache 2009-11-23 22:04 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-11-23 22:04 . 2009-11-23 22:04 -------- d-----w- c:\windows\ie8updates 2009-11-23 22:04 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-11-23 22:04 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll 2009-11-23 22:04 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-11-23 22:04 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll 2009-11-23 22:04 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-11-23 22:04 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll 2009-11-23 22:02 . 2009-11-23 22:04 -------- dc-h--w- c:\windows\ie8 2009-11-23 22:01 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll 2009-11-23 21:49 . 2009-11-23 21:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-11-23 21:45 . 2009-11-23 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-11-23 20:35 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\LogMeIn 2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn 2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2009-11-23 20:23 . 2009-09-29 01:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-11-23 20:23 . 2009-09-29 01:34 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-11-23 20:23 . 2008-08-11 18:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys 2009-11-23 20:23 . 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\program files\LogMeIn 2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\TeamViewer 2009-11-23 20:01 . 2009-11-23 23:56 -------- d--h--w- c:\windows\PIF 2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\tech\Application Data\Malwarebytes 2009-11-23 19:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-23 19:59 . 2009-11-23 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-23 19:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Mozilla 2009-11-23 19:51 . 2009-11-23 23:45 -------- d-----w- C:\tmp 2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\Application Data\TeamViewer 2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\temp 2009-11-23 00:57 . 2009-11-23 01:07 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Temp 2009-11-23 00:55 . 2009-11-23 00:56 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Deployment 2009-11-23 00:42 . 2009-11-23 23:36 0 ----a-r- c:\windows\win32k.sys 2009-11-19 23:26 . 1993-09-21 06:00 58192 ----a-w- c:\windows\system\MHRUN300.DLL 2009-11-19 23:26 . 1993-05-12 06:00 398416 ----a-w- c:\windows\system\VBRUN300.DLL 2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- C:\WEBSTERS 2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- c:\documents and settings\tech\WINDOWS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-11-23 12:27 . 2007-12-14 22:54 -------- d-----w- c:\documents and settings\tech\Application Data\Wave Systems Corp 2009-11-09 20:17 . 2009-11-09 20:17 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.12\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll 2009-10-19 18:18 . 2009-10-19 18:18 -------- d-----w- c:\program files\D-PDU API 2009-10-19 18:18 . 2007-12-18 21:58 -------- d-----w- c:\program files\GM MDI Software 2009-10-19 18:13 . 2009-07-02 15:01 -------- d-----w- c:\program files\GDS 2009-10-12 15:02 . 2009-10-12 15:02 98304 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.11\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_DAT.dll 2009-10-05 15:22 . 2009-10-05 15:22 1954816 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.10\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\xerces-c_3_0.dll 2009-10-02 15:19 . 2009-10-02 15:19 84992 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\wsibridge.dll 2009-10-02 15:19 . 2009-10-02 15:19 40517 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\jRegistryKey.dll 2009-09-22 14:11 . 2009-09-22 14:11 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.08\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll 2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-01 23:57 . 2007-12-10 04:00 12720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-29 08:08 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\All Users\Start Menu\Programs\Startup\ GM MDI APIMonitor Disable.lnk - c:\program files\GM MDI Software\J2534 Configuration\J2534ConfigApp.exe [2009-8-5 1160704] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GM MDI APIMonitor Disable.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GM MDI APIMonitor Disable.lnk backup=c:\windows\pss\GM MDI APIMonitor Disable.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register.lnk backup=c:\windows\pss\Register.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wallpaper Changer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wallpaper Changer.lnk backup=c:\windows\pss\Wallpaper Changer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"= "c:\\Program Files\\GM MDI Software\\GM MDI Identification Service\\GM_MDI_Ident.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 5:03 PM 108289] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/23/2009 2:23 PM 47640] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/23/2009 1:59 PM 269648] R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120] R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/23/2009 1:59 PM 19160] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2007 9:57 PM 29744] S3 tt;tt;c:\windows\system32\drivers\tt.sys [11/23/2009 4:59 PM 34816] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = https://www.autopartners.net/apps/gcportal/login.html mSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyServer = 127.0.0.1:81 uInternet Settings,ProxyOverride = local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s LSP: c:\windows\system32\biolsp.dll FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint\Uninstap.exe ADDREMOVE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-23 17:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\LMIinit.dll c:\windows\System32\BCMLogon.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'lsass.exe'(720) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(588) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\bcmwltry.exe c:\windows\System32\SCardSvr.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\system32\lxczcoms.exe c:\program files\Dell\QuickSet\NICCONFIGSVC.exe c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe c:\windows\system32\msdtc.exe c:\windows\system32\wscntfy.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE . ************************************************************************** . Completion time: 2009-11-23 18:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-24 00:01 Pre-Run: 61,348,057,088 bytes free Post-Run: 65,986,924,544 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 99D15A2C83F8936A4FDAC5A9FD013562
  2. yourguide
    Moved this topic over to the Malware Forum....
  3. yourguide
    Hello Everyone.... I have been using Malwarebytes to remove ALL kinds of nasty things from PC's for almost a year now... absolutely love the product! That said I have a new one that is really giving me a headache. I can remote in to this PC via Logmein, but would rather not go onsite just yet.... if at all possible... I am pretty sure I could boot to a BartPE CD or HawkPE or similar and probably remove this beast... but I would really like to find a way to do this remotely. I CAN reboot into safe mode. Here goes: Every program I install that runs ANY sort of scan get's shutdown and blocked from running again. Examples: Malwarebytes = Installs fine, updates fine, run scan and 2 seconds later its gone... won't let you run anymore scans until reinstall. RootRepeal = Run scan for files.... runs a little while then gets shut down, never to run again... tried renaming it... won't run then... so no go. HijackThis = Starts to run scan... same thing... blam no more HijackThis... no matter what it's named. AntiVir = Installs, updates, runs scan... found some stuff... wouldn't remove it... reboot.... now it wont scan anymore... What it found: Fakealert.CO.712 and tr/dropper.gen Sooooo.... anyone have any thoughts on how I should proceed. I tried running all these apps in safe mode.... same thing happens. I can run processexplorer and even in safe mode I don't see anything strange running as an active process... Help.
  4. yourguide
    Hello Everyone.... I have been using Malwarebytes to remove ALL kinds of nasty things from PC's for almost a year now... absolutely love the product! That said I have a new one that is really giving me a headache. I can remote in to this PC via Logmein, but would rather not go onsite just yet.... if at all possible... I am pretty sure I could boot to a BartPE CD or HawkPE or similar and probably remove this beast... but I would really like to find a way to do this remotely. I CAN reboot into safe mode. Here goes: Every program I install that runs ANY sort of scan get's shutdown and blocked from running again. Examples: Malwarebytes = Installs fine, updates fine, run scan and 2 seconds later its gone... won't let you run anymore scans until reinstall. RootRepeal = Run scan for files.... runs a little while then gets shut down, never to run again... tried renaming it... won't run then... so no go. HijackThis = Starts to run scan... same thing... blam no more HijackThis... no matter what it's named. AntiVir = Installs, updates, runs scan... found some stuff... wouldn't remove it... reboot.... now it wont scan anymore... What it found: Fakealert.CO.712 and tr/dropper.gen Sooooo.... anyone have any thoughts on how I should proceed. I tried running all these apps in safe mode.... same thing happens. I can run processexplorer and even in safe mode I don't see anything strange running as an active process... Help.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.