Jump to content

Recommended Posts

I've tried to clean my computer, infected with bamitol-ao in winlogin and win explorer, using a number of options, including malwarebytes and combofix. i have avast antivirus, so that keeps it under control, but even after running combofix (which could not easily replace the infected files) i'm still infected.

Below are the dds.txt AND the combofix logs:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by kierstin english at 12:18:42 on 2011-11-27

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.442 [GMT -8:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AsusTray] "c:\program files\eeepc\acpi\AsTray.exe"

mRun: [AsusACPIServer] "c:\program files\eeepc\acpi\AsAcpiSvr.exe"

mRun: [AsusEPCMonitor] "c:\program files\eeepc\acpi\AsEPCMon.exe"

mRun: [ETDWare] "c:\program files\elantech\ETDCtrl.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [ArcSoft Connection Service] "c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\kierstin english\application data\mozilla\firefox\profiles\s0goi6e6.default\

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-27 442200]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-27 320856]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-27 20568]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-27 44768]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-27 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-27 22216]

.

=============== Created Last 30 ================

.

2011-11-27 19:52:25 -------- d-----w- C:\ComboFix

2011-11-27 19:23:39 -------- d-sha-r- C:\cmdcons

2011-11-27 19:22:02 98816 ----a-w- c:\windows\sed.exe

2011-11-27 19:22:02 518144 ----a-w- c:\windows\SWREG.exe

2011-11-27 19:22:02 256000 ----a-w- c:\windows\PEV.exe

2011-11-27 19:22:02 208896 ----a-w- c:\windows\MBR.exe

2011-11-27 18:31:00 -------- d-----w- c:\documents and settings\kierstin english\local settings\application data\Mozilla

2011-11-27 17:53:52 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-11-27 17:53:33 41184 ----a-w- c:\windows\avastSS.scr

2011-11-27 17:53:13 -------- d-----w- c:\program files\AVAST Software

2011-11-27 17:53:13 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-11-27 17:03:35 -------- d-----w- c:\documents and settings\kierstin english\application data\Malwarebytes

2011-11-27 17:03:02 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-27 17:02:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 17:02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-11-27 16:41:42 0 ----a-w- c:\windows\Sxarakecofezipah.bin

2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

.

============= FINISH: 12:19:38.59 ===============

and the combofix log:

ComboFix 11-11-27.02 - eng 11/27/2011 11:54:21.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.587 [GMT -8:00]

Running from: c:\documents and settings\eng\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\winlogon.exe . . . is infected!!

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))

.

.

2011-11-27 18:31 . 2011-11-27 18:31 -------- d-----w- c:\documents and settings\kierstin english\Local Settings\Application Data\Mozilla

2011-11-27 17:53 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-11-27 17:53 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-11-27 17:53 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-11-27 17:53 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-11-27 17:53 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-11-27 17:53 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-11-27 17:53 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-11-27 17:53 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-11-27 17:53 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr

2011-11-27 17:53 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-11-27 17:53 . 2011-11-27 17:53 -------- d-----w- c:\program files\AVAST Software

2011-11-27 17:53 . 2011-11-27 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-11-27 17:03 . 2011-11-27 17:03 -------- d-----w- c:\documents and settings\kierstin english\Application Data\Malwarebytes

2011-11-27 17:03 . 2011-11-27 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-27 17:02 . 2011-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 17:02 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-07 08:34 . 2008-08-08 18:09 15523560 ----a-w- c:\program files\U1 Setup.exe

2011-11-21 04:04 . 2011-11-27 18:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 2327754D22033E7AEB84E0A68C0E5030 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

[-] 2008-04-14 . 8C0E14A5E93B1C927C0EDEB1CD3C256D . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-11-27_19.38.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-08-07 21:23 . 2011-11-27 19:52 53166 c:\windows\system32\perfc009.dat

- 2008-08-07 21:23 . 2011-11-27 19:08 53166 c:\windows\system32\perfc009.dat

+ 2008-08-07 21:23 . 2011-11-27 19:52 380918 c:\windows\system32\perfh009.dat

- 2008-08-07 21:23 . 2011-11-27 19:08 380918 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-02-18 66912]

.

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

2009-02-18 22:12 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-07-23 98304]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-07-23 479232]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch Whitesmoke Translator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk

backup=c:\windows\pss\Launch Whitesmoke Translator.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SuperHybridEngine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk

backup=c:\windows\pss\SuperHybridEngine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^kierstin english^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\kierstin english\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-09-11 00:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/27/2011 9:53 AM 442200]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/27/2011 9:53 AM 320856]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/27/2011 9:53 AM 20568]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2011 9:03 AM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/27/2011 9:02 AM 22216]

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\kierstin english\Application Data\Mozilla\Firefox\Profiles\s0goi6e6.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-27 12:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-11-27 12:08:50

ComboFix-quarantined-files.txt 2011-11-27 20:08

ComboFix2.txt 2011-11-27 19:43

.

Pre-Run: 53,374,922,752 bytes free

Post-Run: 53,363,269,632 bytes free

.

- - End Of File - - 73245F60DBBA1AD0EA391B370D9CA8F2

attach.txt

Link to post
Share on other sites

:welcome:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    winlogon.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

You will also need to do that for: explorer.exe as well

Link to post
Share on other sites

here are the results for winlogon.exe:

SystemLook 30.07.11 by jpshortstuff

Log created at 14:45 on 01/12/2011 by kierstin english

Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"

C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [21:23 07/08/2008] [12:00 14/04/2008] 2327754D22033E7AEB84E0A68C0E5030

-= EOF =-

and for explorer.exe:

SystemLook 30.07.11 by jpshortstuff

Log created at 14:49 on 01/12/2011 by kierstin english

Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"

C:\WINDOWS\explorer.exe --a---- 1033728 bytes [21:23 07/08/2008] [12:00 14/04/2008] 8C0E14A5E93B1C927C0EDEB1CD3C256D

-= EOF =-

Link to post
Share on other sites

Those are the infected ones.

Lets see if there's a compressed one

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    winlogon


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\Sxarakecofezipah.bin
c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk
c:\windows\pss\Launch Whitesmoke Translator.lnkCommon

Folder::
c:\program files\asksbar

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch Whitesmoke Translator.lnk]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

here are the results. just as a heads up, combofix at first wouldnt run, then it asked for an update (to which i said no since i had the antivirus turned off), then the screen froze on the c prompt. i restarted the computer and started over, and things seemed to work ok.

ComboFix 11-11-27.02 - kierstin english 12/01/2011 15:54:48.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.600 [GMT -8:00]

Running from: c:\documents and settings\kierstin english\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\kierstin english\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

FILE ::

"c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Whitesmoke Translator.lnk"

"c:\windows\pss\Launch Whitesmoke Translator.lnkCommon"

"c:\windows\Sxarakecofezipah.bin"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\asksbar

c:\program files\asksbar\bar\1.bin\A2FFXTBR.JAR

c:\program files\asksbar\bar\1.bin\A2FFXTBR.MANIFEST

c:\program files\asksbar\bar\1.bin\A2HIGHIN.EXE

c:\program files\asksbar\bar\1.bin\A2NTSTBR.JAR

c:\program files\asksbar\bar\1.bin\A2NTSTBR.MANIFEST

c:\program files\asksbar\bar\1.bin\A2PLUGIN.DLL

c:\program files\asksbar\bar\1.bin\NPASKSBR.DLL

c:\program files\asksbar\bar\Cache\0001BB9A

c:\program files\asksbar\bar\Cache\000272A5

c:\program files\asksbar\bar\Cache\000CF189.bin

c:\program files\asksbar\bar\Cache\000CF552.bin

c:\program files\asksbar\bar\Cache\000CFF16.bin

c:\program files\asksbar\bar\Cache\000D009D.bin

c:\program files\asksbar\bar\Cache\000D0233.bin

c:\program files\asksbar\bar\Cache\000D10AA.bin

c:\program files\asksbar\bar\Cache\000D1221.bin

c:\program files\asksbar\bar\Cache\000D13B7.bin

c:\program files\asksbar\bar\Cache\files.ini

c:\program files\asksbar\bar\History\search2

c:\program files\asksbar\bar\Settings\prevcfg2.htm

c:\program files\asksbar\SrchAstt\1.bin\A2SRCHAS.DLL

.

c:\windows\system32\winlogon.exe . . . is infected!!

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-11-02 to 2011-12-02 )))))))))))))))))))))))))))))))

.

.

2011-11-27 18:31 . 2011-11-27 18:31 -------- d-----w- c:\documents and settings\kierstin english\Local Settings\Application Data\Mozilla

2011-11-27 17:53 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-11-27 17:53 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-11-27 17:53 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-11-27 17:53 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-11-27 17:53 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-11-27 17:53 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-11-27 17:53 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-11-27 17:53 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-11-27 17:53 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr

2011-11-27 17:53 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-11-27 17:53 . 2011-11-27 17:53 -------- d-----w- c:\program files\AVAST Software

2011-11-27 17:53 . 2011-11-27 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-11-27 17:03 . 2011-11-27 17:03 -------- d-----w- c:\documents and settings\kierstin english\Application Data\Malwarebytes

2011-11-27 17:03 . 2011-11-27 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-27 17:02 . 2011-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 17:02 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-07 08:34 . 2008-08-08 18:09 15523560 ----a-w- c:\program files\U1 Setup.exe

2011-11-21 04:04 . 2011-11-27 18:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 2327754D22033E7AEB84E0A68C0E5030 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

[-] 2008-04-14 . 8C0E14A5E93B1C927C0EDEB1CD3C256D . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-11-27_19.38.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-08-07 21:23 . 2011-12-01 23:27 53166 c:\windows\system32\perfc009.dat

- 2008-08-07 21:23 . 2011-11-27 19:08 53166 c:\windows\system32\perfc009.dat

+ 2008-08-07 21:23 . 2011-12-01 23:27 380918 c:\windows\system32\perfh009.dat

- 2008-08-07 21:23 . 2011-11-27 19:08 380918 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-07-23 98304]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-07-23 479232]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SuperHybridEngine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk

backup=c:\windows\pss\SuperHybridEngine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^kierstin english^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\kierstin english\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-09-11 00:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/27/2011 9:53 AM 442200]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/27/2011 9:53 AM 320856]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/27/2011 9:53 AM 20568]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2011 9:03 AM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/27/2011 9:02 AM 22216]

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\kierstin english\Application Data\Mozilla\Firefox\Profiles\s0goi6e6.default\

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-01 16:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3784)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxext.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-12-01 16:12:38 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-02 00:12

ComboFix2.txt 2011-11-28 01:05

ComboFix3.txt 2011-11-27 19:43

.

Pre-Run: 52,965,351,424 bytes free

Post-Run: 52,966,735,872 bytes free

.

- - End Of File - - 9FF10BE66B177187401CA3E9EF07C0AF

Link to post
Share on other sites

We could also try a online scan.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

yikes. the eset scan seems to have killed the computer. it found 14 infections (2 which could not be removed). when prompted to restart, I did. but then i got the bsod. it reads "the windows logon process system process terminated unexpectedly with a status of 0x00000000 0x00000000."

i tried restarting in safe mode, but the same thing happened.

(i'm writing from a different computer.)

Link to post
Share on other sites

After you start the Windows Recovery Console, you receive the following message:

Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.

Type EXIT to quit the Recovery Console and restart the computer.

Which Windows Installation would you like to log on to

(To cancel, press ENTER)?

After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.

Note If you use an incorrect password three times, the Windows Recovery Console quits.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

At the command prompt, type the appropriate commands to diagnose and repair your Windows XP installation.

At the windows prompt type in: Fixboot and tap enter key

Type in Exit and try to reboot normal.

If that doesn't work, go through the same steps but use: FIXMBR and tap enter key

Type in Exit and try to reboot normal.

Link to post
Share on other sites

If it didn't ask for a password, that means there wasn't a Administrator password created.

At the windows command prompt type in: Fixboot and tap enter key

Type in Exit and try to reboot normal.

If that doesn't work, go through the same steps but use: FIXMBR and tap enter key

Type in Exit and try to reboot normal.

Link to post
Share on other sites

tried both, but didn't fix it. the FIXMBR command responded with something like "You have an improper boot installation . . . rewriting might make disk inaccessible . . . "

if i can locate a XP CD is it possible to restore the info on the computer? or is that just lost?

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.