yourguide
-
Posts
4 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by yourguide
-
-
Moved this topic over to the Malware Forum....
-
Hello Everyone.... I have been using Malwarebytes to remove ALL kinds of nasty things from PC's for almost a year now... absolutely love the product!
That said I have a new one that is really giving me a headache.
I can remote in to this PC via Logmein, but would rather not go onsite just yet.... if at all possible... I am pretty sure I could boot to a BartPE CD or HawkPE or similar and probably remove this beast... but I would really like to find a way to do this remotely.
I CAN reboot into safe mode.
Here goes:
Every program I install that runs ANY sort of scan get's shutdown and blocked from running again.
Examples: Malwarebytes = Installs fine, updates fine, run scan and 2 seconds later its gone... won't let you run anymore scans until reinstall.
RootRepeal = Run scan for files.... runs a little while then gets shut down, never to run again... tried renaming it... won't run then... so no go.
HijackThis = Starts to run scan... same thing... blam no more HijackThis... no matter what it's named.
AntiVir = Installs, updates, runs scan... found some stuff... wouldn't remove it... reboot.... now it wont scan anymore...
What it found: Fakealert.CO.712 and tr/dropper.gen
Sooooo.... anyone have any thoughts on how I should proceed.
I tried running all these apps in safe mode.... same thing happens.
I can run processexplorer and even in safe mode I don't see anything strange running as an active process...
Help.
-
Hello Everyone.... I have been using Malwarebytes to remove ALL kinds of nasty things from PC's for almost a year now... absolutely love the product!
That said I have a new one that is really giving me a headache.
I can remote in to this PC via Logmein, but would rather not go onsite just yet.... if at all possible... I am pretty sure I could boot to a BartPE CD or HawkPE or similar and probably remove this beast... but I would really like to find a way to do this remotely.
I CAN reboot into safe mode.
Here goes:
Every program I install that runs ANY sort of scan get's shutdown and blocked from running again.
Examples: Malwarebytes = Installs fine, updates fine, run scan and 2 seconds later its gone... won't let you run anymore scans until reinstall.
RootRepeal = Run scan for files.... runs a little while then gets shut down, never to run again... tried renaming it... won't run then... so no go.
HijackThis = Starts to run scan... same thing... blam no more HijackThis... no matter what it's named.
AntiVir = Installs, updates, runs scan... found some stuff... wouldn't remove it... reboot.... now it wont scan anymore...
What it found: Fakealert.CO.712 and tr/dropper.gen
Sooooo.... anyone have any thoughts on how I should proceed.
I tried running all these apps in safe mode.... same thing happens.
I can run processexplorer and even in safe mode I don't see anything strange running as an active process...
Help.
New Malware/Trojan/Virii ??
in Resolved Malware Removal Logs
Posted
I was able to get ComboFix to run... here is the log file from it:
ComboFix 09-11-23.01 - tech 11/23/2009 17:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.679 [GMT -6:00]
Running from: c:\tmp\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.
2009-11-23 23:03 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-23 23:03 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-23 23:03 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\program files\Avira
2009-11-23 23:03 . 2009-11-23 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-23 22:59 . 2009-11-23 22:59 34816 ----a-w- c:\windows\system32\drivers\tt.sys
2009-11-23 22:44 . 2009-11-23 22:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-23 22:11 . 2009-11-23 22:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-23 22:06 . 2009-11-23 22:06 -------- d-sh--w- c:\documents and settings\tech\IETldCache
2009-11-23 22:04 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-11-23 22:04 . 2009-11-23 22:04 -------- d-----w- c:\windows\ie8updates
2009-11-23 22:04 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-11-23 22:04 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-23 22:04 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-23 22:04 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-23 22:04 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-23 22:04 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-23 22:02 . 2009-11-23 22:04 -------- dc-h--w- c:\windows\ie8
2009-11-23 22:01 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-11-23 21:49 . 2009-11-23 21:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-11-23 21:45 . 2009-11-23 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-23 20:35 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\LogMeIn
2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-11-23 20:23 . 2009-09-29 01:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 20:23 . 2009-09-29 01:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 20:23 . 2008-08-11 18:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-11-23 20:23 . 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-23 20:23 . 2009-11-23 20:23 -------- d-----w- c:\program files\LogMeIn
2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\TeamViewer
2009-11-23 20:01 . 2009-11-23 23:56 -------- d--h--w- c:\windows\PIF
2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\tech\Application Data\Malwarebytes
2009-11-23 19:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 19:59 . 2009-11-23 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 19:59 . 2009-11-23 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 19:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 19:55 . 2009-11-23 19:55 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Mozilla
2009-11-23 19:51 . 2009-11-23 23:45 -------- d-----w- C:\tmp
2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\Application Data\TeamViewer
2009-11-23 19:40 . 2009-11-23 19:40 -------- d-----w- c:\documents and settings\tech\temp
2009-11-23 00:57 . 2009-11-23 01:07 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Temp
2009-11-23 00:55 . 2009-11-23 00:56 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Deployment
2009-11-23 00:42 . 2009-11-23 23:36 0 ----a-r- c:\windows\win32k.sys
2009-11-19 23:26 . 1993-09-21 06:00 58192 ----a-w- c:\windows\system\MHRUN300.DLL
2009-11-19 23:26 . 1993-05-12 06:00 398416 ----a-w- c:\windows\system\VBRUN300.DLL
2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- C:\WEBSTERS
2009-11-19 23:26 . 2009-11-19 23:26 -------- d-----w- c:\documents and settings\tech\WINDOWS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-23 23:29 . 2007-12-10 03:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-23 12:27 . 2007-12-14 22:54 -------- d-----w- c:\documents and settings\tech\Application Data\Wave Systems Corp
2009-11-09 20:17 . 2009-11-09 20:17 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.12\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll
2009-10-19 18:18 . 2009-10-19 18:18 -------- d-----w- c:\program files\D-PDU API
2009-10-19 18:18 . 2007-12-18 21:58 -------- d-----w- c:\program files\GM MDI Software
2009-10-19 18:13 . 2009-07-02 15:01 -------- d-----w- c:\program files\GDS
2009-10-12 15:02 . 2009-10-12 15:02 98304 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.11\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_DAT.dll
2009-10-05 15:22 . 2009-10-05 15:22 1954816 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.10\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\xerces-c_3_0.dll
2009-10-02 15:19 . 2009-10-02 15:19 84992 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\wsibridge.dll
2009-10-02 15:19 . 2009-10-02 15:19 40517 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V2.9.9\DMtis2web\DMkdr\DMclient\RNkdr-nativelibs.jar\jRegistryKey.dll
2009-09-22 14:11 . 2009-09-22 14:11 97792 ----a-w- c:\documents and settings\tech\Application Data\Sun\Java\Deployment\cache\javaws\http\Dtis2web.xw.gm.com\P80\V3.0.08\DMtis2web\DMsps\DMdownload\RNsps-nativelibs.jar\Vcs_HOD_V4.dll
2009-09-11 14:03 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 23:57 . 2007-12-10 04:00 12720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 08:08 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
GM MDI APIMonitor Disable.lnk - c:\program files\GM MDI Software\J2534 Configuration\J2534ConfigApp.exe [2009-8-5 1160704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GM MDI APIMonitor Disable.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GM MDI APIMonitor Disable.lnk
backup=c:\windows\pss\GM MDI APIMonitor Disable.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register.lnk
backup=c:\windows\pss\Register.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\GM MDI Software\\GM MDI Identification Service\\GM_MDI_Ident.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 5:03 PM 108289]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/23/2009 2:23 PM 47640]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/23/2009 1:59 PM 269648]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/23/2009 1:59 PM 19160]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/9/2007 9:57 PM 29744]
S3 tt;tt;c:\windows\system32\drivers\tt.sys [11/23/2009 4:59 PM 34816]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.autopartners.net/apps/gcportal/login.html
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 127.0.0.1:81
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint\Uninstap.exe ADDREMOVE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 17:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-23 18:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 00:01
Pre-Run: 61,348,057,088 bytes free
Post-Run: 65,986,924,544 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 99D15A2C83F8936A4FDAC5A9FD013562