bdca13
-
Posts
1 -
Joined
-
Last visited
This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
bdca13
in Resolved Malware Removal Logs
Posted
Had same exact issue. I was actually able to fix this using only the infected computer, and it seems to have worked.
First, I went in to the control panel and Administrative Tools and then Services, and noticed that DHCP service wasn't started, so I started it, and I had internet. I had to go into my browser's preferences and turn off the Proxy server that had turned on.
Found this blog, downloaded the ComboFix.exe software from the link above, and let it run.
HERE'S THE LOG. I'm able to run Malwarebytes again, so I'm hoping I got rid of the problem, but am going to run multiple scanners just to be sure.
ComboFix 11-10-30.03 - Tech 10/31/2011 0:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.167 [GMT -7:00]
Running from: c:\documents and settings\Tech\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.salstation\My Documents\~WRD0000.tmp
c:\documents and settings\Owner.salstation\My Documents\~WRL3053.tmp
c:\documents and settings\Owner.salstation\My Documents\~WRL3708.tmp
c:\documents and settings\Owner.salstation\WINDOWS
c:\documents and settings\Tech\WINDOWS
c:\windows\$NtUninstallKB63881$\2203856554
c:\windows\$NtUninstallKB63881$\580003044\@
c:\windows\$NtUninstallKB63881$\580003044\bckfg.tmp
c:\windows\$NtUninstallKB63881$\580003044\cfg.ini
c:\windows\$NtUninstallKB63881$\580003044\Desktop.ini
c:\windows\$NtUninstallKB63881$\580003044\keywords
c:\windows\$NtUninstallKB63881$\580003044\kwrd.dll
c:\windows\$NtUninstallKB63881$\580003044\L\dmaarltv
c:\windows\$NtUninstallKB63881$\580003044\lsflt7.ver
c:\windows\$NtUninstallKB63881$\580003044\U\00000001.@
c:\windows\$NtUninstallKB63881$\580003044\U\00000002.@
c:\windows\$NtUninstallKB63881$\580003044\U\80000000.@
c:\windows\$NtUninstallKB63881$\580003044\U\80000032.@
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
c:\windows\$NtUninstallKB63881$ . . . . Failed to delete
.
c:\windows\system32\drivers\Cdr4_xp.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 07:10 . 2011-05-12 21:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-10-31 06:35 . 2011-10-31 06:35 -------- d--h--w- c:\windows\PIF
2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\7.tmp
2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\6.tmp
2011-10-31 06:19 . 2011-10-31 06:19 -------- d-----w- c:\program files\Sophos
2011-10-31 05:56 . 2011-10-31 05:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-31 05:52 . 2011-10-31 06:16 -------- d-----w- c:\documents and settings\Tech
2011-10-30 02:07 . 2011-10-30 02:07 709968 ----a-w- c:\windows\is-L8PTA.exe
2011-10-30 01:11 . 2011-10-30 05:34 -------- d-----w- c:\documents and settings\Owner.salstation\DoctorWeb
2011-10-30 01:05 . 2011-10-30 01:05 -------- d-----w- c:\documents and settings\Owner.salstation\Application Data\Malwarebytes
2011-10-30 01:04 . 2011-10-30 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-30 01:04 . 2011-10-31 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-30 01:04 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 21:50 . 2005-04-04 06:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-10-07 21:50 . 2005-04-04 06:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-10-07 21:50 . 2005-04-04 06:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-10-07 21:50 . 2005-04-04 06:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-10-07 21:50 . 2005-04-04 05:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-10-07 21:50 . 2005-04-04 05:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-10-07 21:50 . 2011-10-07 21:50 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-10-07 21:50 . 2011-10-07 21:50 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\Owner.salstation\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 20:42 . 2011-09-21 20:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-21 20:42 . 2008-08-15 20:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.salstation^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner.salstation\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 03:42 116040 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 07:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-25 08:24 966656 -c--a-w- c:\windows\creator\remind_xp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/31/2011 12:10 AM 18816]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/29/2011 7:07 PM 366152]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2006 2:54 PM 200576]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/29/2011 6:04 PM 22216]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [6/28/2008 4:49 PM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [6/28/2008 4:49 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [6/28/2008 4:49 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [6/28/2008 4:49 PM 10368]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 5:52 PM 69692]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C.tmp --> c:\windows\system32\C.tmp [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
.
2006-02-27 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12]
.
2006-02-27 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-35825523.sys
SafeBoot-73489664.sys
SafeBoot-98467317.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-conhost - c:\documents and settings\Owner.salstation\Application Data\Microsoft\conhost.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1138403453\ee\AOLSoftware.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-31 00:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2011-10-31 00:58:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 07:58
.
Pre-Run: 61,425,229,824 bytes free
Post-Run: 61,495,447,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 751857D412965424BE1077471B25FA2C