Jump to content

whytee

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hello, I am trying to use Malwarebytes to remove this super annoying Open Cloud Security crap from my girlfriends computer. I have tried a number of guides online which have told me to rename the mbam.exe file to firefox.com I do this, download the latest updates, and try to run it and it is closing after about 5 seconds. I am doing all of this in Safe Mode With Networking. I have been reading on this site for a while and have downloaded ComboFix. I disabled all my Antivirus/Antispyware/Firewall programs and ran ComboFix. The results are below, what is my next best course of action? Thank you very much in advance! ComboFix 11-09-27.01 - Administrator 09/27/2011 16:27:28.1.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1783 [GMT -4:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Justin\Application Data\SIIIBrzPNyx1uDo\sySL32.dll c:\windows\$NtUninstallKB15524$ c:\windows\$NtUninstallKB15524$\1720165852\@ c:\windows\$NtUninstallKB15524$\1720165852\bckfg.tmp c:\windows\$NtUninstallKB15524$\1720165852\cfg.ini c:\windows\$NtUninstallKB15524$\1720165852\Desktop.ini c:\windows\$NtUninstallKB15524$\1720165852\keywords c:\windows\$NtUninstallKB15524$\1720165852\kwrd.dll c:\windows\$NtUninstallKB15524$\1720165852\L\oioonbvi c:\windows\$NtUninstallKB15524$\1720165852\lsflt7.ver c:\windows\$NtUninstallKB15524$\1720165852\U\00000001.@ c:\windows\$NtUninstallKB15524$\1720165852\U\00000002.@ c:\windows\$NtUninstallKB15524$\1720165852\U\80000000.@ c:\windows\$NtUninstallKB15524$\1720165852\U\80000032.@ c:\windows\$NtUninstallKB15524$\2931293555 . Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_6687a5dc . . ((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 ))))))))))))))))))))))))))))))) . . 2011-09-27 20:20 . 2004-08-04 12:00 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-09-27 19:35 . 2011-09-27 19:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-27 19:04 . 2011-09-27 19:04 -------- d-s---w- c:\documents and settings\Administrator\UserData 2011-09-27 18:34 . 2011-09-27 18:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-09-27 16:43 . 2011-09-27 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-09-27 06:16 . 2011-09-27 06:16 -------- d--h--w- c:\windows\PIF 2011-09-27 05:51 . 2011-09-27 05:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-09-27 04:52 . 2011-09-27 04:52 2463744 ----a-w- c:\windows\system32\U22oonF44mH5sJd.exe 2011-09-19 03:24 . 2011-09-19 03:24 -------- d-----w- c:\program files\Viewpoint 2011-09-19 03:23 . 2011-09-19 03:24 -------- d-----w- c:\program files\AIM95 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-24 20:27 . 2011-08-24 20:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-08-02 22:23 . 2011-08-02 22:23 260 ----a-w- c:\windows\system32\cmdVBS.vbs 2011-08-02 22:23 . 2011-08-02 22:23 256 ----a-w- c:\windows\system32\MSIevent.bat 2011-09-09 02:14 . 2011-03-26 16:50 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1] @="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}" [HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}] 2007-04-20 18:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-03-07 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-03-07 970752] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048] "000StTHK"="000StTHK.exe" [2001-06-23 24576] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872] "igfxtray"="c:\windows\system32\igfxtray.exe" [2007-04-20 101144] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-04-20 84760] "igfxpers"="c:\windows\system32\igfxpers.exe" [2007-04-20 125720] "RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296] "TFNF5"="TFNF5.exe" [2006-04-11 622592] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TOSDCR"="TOSDCR.EXE" [2005-12-13 57344] "TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744] "TosAutLk"="c:\program files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe" [2006-11-21 110592] "TPSODDCtl"="TPSODDCtl.exe" [2007-04-24 118784] "TPSMain"="TPSMain.exe" [2007-04-24 315392] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2007-05-31 671744] "UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208] "PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2007-06-15 3147776] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "Creative KSRun Persistence Module"="KSRun.dll" [2009-12-07 24064] "VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2009-07-07 241789] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736] "W888gTTZqhYw8234A"="c:\windows\system32\U22oonF44mH5sJd.exe" [2011-09-27 2463744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS] 2007-05-31 16:34 176128 ----a-w- c:\windows\system32\FpWinlogonNp.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Owner1\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Documents and Settings\\Justin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21853:TCP"= 21853:TCP:BitComet 21853 TCP "21853:UDP"= 21853:UDP:BitComet 21853 UDP "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [6/21/2007 3:21 PM 29440] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/1/2009 2:34 AM 721904] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/7/2007 6:13 PM 36608] S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [6/7/2007 6:23 PM 5888] S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [6/21/2007 3:21 PM 9216] S2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [6/21/2007 3:21 PM 106496] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 12:42 AM 135664] S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 3:01 PM 151552] S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856] S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [6/7/2007 6:23 PM 126976] S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/14/2010 3:14 PM 79360] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 12:42 AM 135664] S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [12/15/2009 10:25 AM 857472] S3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [10/24/2008 6:27 PM 1830912] S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [10/1/2009 7:29 PM 44544] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [6/7/2007 6:23 PM 435072] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 04:42] . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 04:42] . 2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1008Core.job - c:\documents and settings\Owner1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 01:59] . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1008UA.job - c:\documents and settings\Owner1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 01:59] . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1009Core.job - c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 04:56] . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1009UA.job - c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 04:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.toshibadirect.com/dpdstart uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart TCP: DhcpNameServer = 192.168.1.1 DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB FF - ProfilePath - . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-27 18:37 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\FpWinLogonNp.dll . - - - - - - - > 'explorer.exe'(1964) c:\program files\TrueSuite Access Manager\IconOvrly.dll c:\windows\system32\msi.dll . Completion time: 2011-09-27 18:40:00 - machine was rebooted ComboFix-quarantined-files.txt 2011-09-27 22:39 . Pre-Run: 115,773,489,152 bytes free Post-Run: 119,647,711,232 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - C3428F8E9699780E7C747F29381328F8
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.