Jump to content

bdca13

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by bdca13

  1. Had same exact issue. I was actually able to fix this using only the infected computer, and it seems to have worked. First, I went in to the control panel and Administrative Tools and then Services, and noticed that DHCP service wasn't started, so I started it, and I had internet. I had to go into my browser's preferences and turn off the Proxy server that had turned on. Found this blog, downloaded the ComboFix.exe software from the link above, and let it run. HERE'S THE LOG. I'm able to run Malwarebytes again, so I'm hoping I got rid of the problem, but am going to run multiple scanners just to be sure. ComboFix 11-10-30.03 - Tech 10/31/2011 0:37.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.167 [GMT -7:00] Running from: c:\documents and settings\Tech\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\Owner.salstation\My Documents\~WRD0000.tmp c:\documents and settings\Owner.salstation\My Documents\~WRL3053.tmp c:\documents and settings\Owner.salstation\My Documents\~WRL3708.tmp c:\documents and settings\Owner.salstation\WINDOWS c:\documents and settings\Tech\WINDOWS c:\windows\$NtUninstallKB63881$\2203856554 c:\windows\$NtUninstallKB63881$\580003044\@ c:\windows\$NtUninstallKB63881$\580003044\bckfg.tmp c:\windows\$NtUninstallKB63881$\580003044\cfg.ini c:\windows\$NtUninstallKB63881$\580003044\Desktop.ini c:\windows\$NtUninstallKB63881$\580003044\keywords c:\windows\$NtUninstallKB63881$\580003044\kwrd.dll c:\windows\$NtUninstallKB63881$\580003044\L\dmaarltv c:\windows\$NtUninstallKB63881$\580003044\lsflt7.ver c:\windows\$NtUninstallKB63881$\580003044\U\00000001.@ c:\windows\$NtUninstallKB63881$\580003044\U\00000002.@ c:\windows\$NtUninstallKB63881$\580003044\U\80000000.@ c:\windows\$NtUninstallKB63881$\580003044\U\80000032.@ c:\windows\kb913800.exe c:\windows\system32\config\systemprofile\WINDOWS D:\Autorun.inf c:\windows\$NtUninstallKB63881$ . . . . Failed to delete . c:\windows\system32\drivers\Cdr4_xp.sys . . . is infected!! . . . Failed to find a valid replacement. . ((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 ))))))))))))))))))))))))))))))) . . 2011-10-31 07:10 . 2011-05-12 21:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys 2011-10-31 06:35 . 2011-10-31 06:35 -------- d--h--w- c:\windows\PIF 2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\7.tmp 2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\6.tmp 2011-10-31 06:19 . 2011-10-31 06:19 -------- d-----w- c:\program files\Sophos 2011-10-31 05:56 . 2011-10-31 05:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-10-31 05:52 . 2011-10-31 06:16 -------- d-----w- c:\documents and settings\Tech 2011-10-30 02:07 . 2011-10-30 02:07 709968 ----a-w- c:\windows\is-L8PTA.exe 2011-10-30 01:11 . 2011-10-30 05:34 -------- d-----w- c:\documents and settings\Owner.salstation\DoctorWeb 2011-10-30 01:05 . 2011-10-30 01:05 -------- d-----w- c:\documents and settings\Owner.salstation\Application Data\Malwarebytes 2011-10-30 01:04 . 2011-10-30 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-10-30 01:04 . 2011-10-31 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-10-30 01:04 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-07 21:50 . 2005-04-04 06:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll 2011-10-07 21:50 . 2005-04-04 06:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll 2011-10-07 21:50 . 2005-04-04 06:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll 2011-10-07 21:50 . 2005-04-04 06:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll 2011-10-07 21:50 . 2005-04-04 05:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe 2011-10-07 21:50 . 2005-04-04 05:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll 2011-10-07 21:50 . 2011-10-07 21:50 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll 2011-10-07 21:50 . 2011-10-07 21:50 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll 2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\Owner.salstation\Local Settings\Application Data\PackageAware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-21 20:42 . 2011-09-21 20:43 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-09-21 20:42 . 2008-08-15 20:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Owner.salstation^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner.salstation\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2008-07-23 03:42 116040 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-02-25 08:24 966656 -c--a-w- c:\windows\creator\remind_xp.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/31/2011 12:10 AM 18816] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/29/2011 7:07 PM 366152] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2006 2:54 PM 200576] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/29/2011 6:04 PM 22216] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [6/28/2008 4:49 PM 2944] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [6/28/2008 4:49 PM 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [6/28/2008 4:49 PM 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [6/28/2008 4:49 PM 10368] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 5:52 PM 69692] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C.tmp --> c:\windows\system32\C.tmp [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57] . 2006-02-27 c:\windows\Tasks\ISP signup reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12] . 2006-02-27 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gateway.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.15.1 FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) SafeBoot-35825523.sys SafeBoot-73489664.sys SafeBoot-98467317.sys MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe MSConfigStartUp-conhost - c:\documents and settings\Owner.salstation\Application Data\Microsoft\conhost.exe MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1138403453\ee\AOLSoftware.exe MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-31 00:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\C.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(896) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(396) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\System32\wltrysvc.exe c:\windows\System32\bcmwltry.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\ehome\mcrdsvc.exe c:\windows\system32\wscntfy.exe c:\windows\eHome\ehmsas.exe c:\windows\system32\dllhost.exe . ************************************************************************** . Completion time: 2011-10-31 00:58:32 - machine was rebooted ComboFix-quarantined-files.txt 2011-10-31 07:58 . Pre-Run: 61,425,229,824 bytes free Post-Run: 61,495,447,552 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect . - - End Of File - - 751857D412965424BE1077471B25FA2C
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.