heks
Honorary Members-
Posts
25 -
Joined
-
Last visited
Reputation
0 Neutral-
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Ok, thanks again for your help. Maybe at some future point you'll be available to help me double-check the health of my main system Take care, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, So my system seems to be working fine at this point. I really appreciate all your help. Also, your timing couldn't have been better. Just before you responded to this thread I had decided that if I didn't hear from someone within an hour or two I was just going to bite the bullet and reformat. I'm really glad I didn't have to go that route. In addition to Avira Antivirus, would you recommend using an online virus scanner? If so, which one? I'm not sure that just using a local one is sufficient since the virus I had before would never seem to allow Avira to finish a scan. Take care, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, All the work we've done so far has been for my XP system. Should I remove and update Java on my Windows 7 64 bit system as well? And if so, would I use jre-7u1-windows-x64.exe from this page: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html Thanks, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
In terms of firewalls, I am running through a router and also have the Windows Firewall activated. Is that sufficient? heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, Should I delete the files quarantined by ESET Scanner? heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, Ok, here's the resulting log. Just a note, I'm not particularly concerned about the first two entries in the infected files list (core10.exe and keygen.exe), which were used to test a php programming editor. I don't think they're actual viruses. I also don't think the one associated with "windows 7 all edition" is an actual virus/malware either. I downloaded it as a backup for my legit copy of my Windows 7 Pro 64-bit CD after I got my new system with that OS. I don't want to get rid of this because the reason I got it in the first place was because I lost my original legit Win XP Pro CD and then had to go out and spend the $200 to buy it again. So I now have legit copies of both OS's as well as downloaded versions of both that I can use my legit CD keys with if necessary. So like I said, I don't want to delete these. I currently still have MBAM open showing the list of infections (I'm mainly worried about items 3, 4 and 5 in the list) because I didn't want to proceed with removal until you have a chance to look at the log. So, without further ado, here you go: Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 8149 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/12/2011 7:52:11 PM mbam-log-2011-11-12 (19-52-01).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 346695 Time elapsed: 42 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\documents\programming stuff\cr-fse10\CORE10k.EXE (Dont.Steal.Our.Software) -> No action taken. c:\documents and settings\all users\documents\programming stuff\cr-fse10\keygen.exe (RiskWare.Tool.HCK) -> No action taken. c:\system volume information\_restore{7f69a12d-5c02-4622-9a8f-5793d6bfcc46}\RP0\A0001005.exe (Exploit.Drop.Gen) -> No action taken. c:\system volume information\_restore{7f69a12d-5c02-4622-9a8f-5793d6bfcc46}\RP0\A0001006.exe (Backdoor.Bot) -> No action taken. c:\WINDOWS\system32\mfc40u4.dll (Trojan.Crypt) -> No action taken. d:\Torrent\download final\windows 7 all edition\chew-wga 0.9\CW.eXe (Hacktool.ChewWGA) -> No action taken. Thanks, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, In terms of uninstalling all the older versions of Java, do you just mean from the Add/Remove Programs panel? Cause the only thing I see in there is "Java 6 Update 23". Is there somewhere else I should be looking? heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
No visible ones that I can tell. Well, actually, I do have some files in my AVIRA quarantine that I'm wondering what they are and if and how I should safely get rid of them. This is the list: Contains regonition pattern of the JS/Agent.HG.2 Java script virus -- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U9GOQMRZ\main[1].htm Is the TR/PSW.Zbot.3266 Trojan -- C:\Documents and Settings\Ryan\Application Data\pikoh\syce.exe Is the TR/Crypt.XPACK.Gen5 Trojan -- C:\Documents and Settings\Ryan\Local Settings\Application Data\advapiSupport\appMouseSched.dll Is the TR/Crypt.XPACK.Gen5 Trojan -- C:\Documents and Settings\Ryan\Local Settings\Application Data\advapiSupport\appMouseSched.dll (so this one seems to be here twice) Is the TR/Crypt.XPACK.Gen Trojan -- C:\Windows\system32\mfc40u4.dll Is the TR/Dropper.Gen Trojan -- C:\Windows\Temp\hki266.exe Is the TR/PSW.Fareit.A.49 Trojan -- C:\Windows\Temp\14c33f.exe Is the TR/Kazy.dznsa Trojan -- D:\temp\RECOVER\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2WKW2LFZ\windows-update-sp2-kb77666-setup[1].exe Is the TR/Dropper.Gen Trojan -- C:\Windows\Temp\hki254.exe These are all files already in quarantine from previous scans in August and September. I haven't been able to do a complete system scan in a while and haven't done one since you started helping me with this stuff. Here's the new ComboFix log: ComboFix 11-11-10.02 - Ryan 11/11/2011 12:21:33.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe . . ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-11-10_16.42.51 ))))))))))))))))))))))))))))))))))))))))) . + 2011-11-11 17:09 . 2011-11-11 17:09 16384 c:\windows\Temp\Perflib_Perfdata_748.dat + 2008-04-14 12:00 . 2011-11-11 08:17 83380 c:\windows\system32\perfc009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 83380 c:\windows\system32\perfc009.dat + 2007-04-09 16:32 . 2007-04-09 16:32 19968 c:\windows\system32\CTXFIHLP.exe + 2008-04-14 12:00 . 2011-11-11 08:17 471508 c:\windows\system32\perfh009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 471508 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . HKCU-Run-appMouseSched - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-11 12:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(764) c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-11 12:28:37 ComboFix-quarantined-files.txt 2011-11-11 17:28 ComboFix2.txt 2011-11-11 08:20 ComboFix3.txt 2011-11-10 16:44 . Pre-Run: 436,172,918,784 bytes free Post-Run: 436,156,936,192 bytes free . - - End Of File - - CA871B46FBF91F1D384EB0812B2E454E Any idea what's up with those proxy settings, or what that IP address is? Thanks, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, Just an additional note... I opened up Firefox and looked in Tools > Options > Advanced > Network. I see that it is set to "Use system proxy settings". I'm not sure what the system proxy settings are, but I notice greyed out settings under the Manual proxy option that uses 151.100.59.11 Port: 3128 for all the proxy types, then for "No Proxy for:" it has "localhost, 127.0.0.1". I have no idea what these IP addresses are. Also, for the second time in a row starting up Firefox it has told me it's not my default browser and asked if I want to set it to default, even though I selected yes for that option last time. Don't know if that's a symptom of anything. It seems like it might just be a fluke because I just tried it a 3rd time to be sure and it didn't ask this time. Take care, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
To be honest, I don't recall. It doesn't seem like I should need a proxy to be set up, but hard to say. Here's the new ComboFix.txt content: ComboFix 11-11-10.02 - Ryan 11/11/2011 3:01.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1508 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . <pre> c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe </pre> . ((((((((((((((((((((((((((((( SnapShot@2011-11-10_16.42.51 ))))))))))))))))))))))))))))))))))))))))) . + 2011-11-11 08:06 . 2011-11-11 08:06 16384 c:\windows\Temp\Perflib_Perfdata_758.dat + 2008-04-14 12:00 . 2011-11-11 08:17 83380 c:\windows\system32\perfc009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 83380 c:\windows\system32\perfc009.dat + 2007-04-09 16:32 . 2007-04-09 16:32 19968 c:\windows\system32\CTXFIHLP.exe + 2008-04-14 12:00 . 2011-11-11 08:17 471508 c:\windows\system32\perfh009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 471508 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "appMouseSched"="" [N/A] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.ftp - 151.100.59.11 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 151.100.59.11 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 151.100.59.11 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 151.100.59.11 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 151.100.59.11 FF - prefs.js: network.proxy.ssl_port - 3128 FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-11 03:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2820) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Synergy\synergyc.exe c:\program files\Brother\ControlCenter3\brccMCtl.exe c:\program files\Brother\Brmfcmon\BrMfcmon.exe . ************************************************************************** . Completion time: 2011-11-11 03:20:04 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-11 08:20 ComboFix2.txt 2011-11-10 16:44 . Pre-Run: 436,229,734,400 bytes free Post-Run: 436,200,947,712 bytes free . - - End Of File - - 6FB4DD2308A61631C7CC02F74FB0098F Ok, off to bed now. I'll check back in the morning. Thanks, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Hi Elise, Here's the ComboFix log... ComboFix 11-11-10.02 - Ryan 11/10/2011 11:37:25.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1500 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Ryan\Application Data\Adobe\plugs c:\documents and settings\Ryan\Application Data\Adobe\shed c:\documents and settings\Ryan\Application Data\inst.exe c:\documents and settings\Ryan\Application Data\mIRC\logs\status.log c:\documents and settings\Ryan\WINDOWS . . ((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . <pre> c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe c:\program files\DAEMON Tools\daemon .exe c:\program files\Microsoft Office\Office12\GrooveMonitor .exe c:\program files\ScanSoft\PaperPort\IndexSearch .exe c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe c:\windows\system32\CTXFIHLP .exe </pre> . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "appMouseSched"="" [N/A] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.ftp - 151.100.59.11 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 151.100.59.11 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 151.100.59.11 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 151.100.59.11 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 151.100.59.11 FF - prefs.js: network.proxy.ssl_port - 3128 FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 11:42 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(768) c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-10 11:44:32 ComboFix-quarantined-files.txt 2011-11-10 16:44 . Pre-Run: 433,995,689,984 bytes free Post-Run: 436,240,900,096 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - ED486F042C89B3BFD72F92BAAB33C4BD Take care, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
I'll get working on this in the morning (it's 3:00 am here right now). Thanks, heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
It seems to be running Ok now, as far as I can tell. Is there anything else I should do to make sure the system is clean? heks -
Cannot boot PC after removing infections with Malwarebytes
heks replied to heks's topic in Resolved Malware Removal Logs
Here it is: mbr.zip