Jump to content

Recommended Posts

My PC (Windows XP SP3) cannot get an IP address after removing malware with Malwarebytes.

I have tried all the basic fixes from various forums on the net run through the cmd prompt.

I am currently running ComboFix and will post the log when complete. Any help is appreciated.

ComboFix 11-12-24.10 - Sharad 12/25/2011 12:02:27.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.594 [GMT -5:00]

Running from: c:\documents and settings\Sharad\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Sharad\Application Data\Google Talk

c:\documents and settings\Sharad\Local Settings\Application Data\{C4E63F86-3D61-4596-A7A4-D4F67B74324C}

c:\documents and settings\Sharad\Local Settings\Application Data\{C4E63F86-3D61-4596-A7A4-D4F67B74324C}\chrome.manifest

c:\documents and settings\Sharad\Local Settings\Application Data\{C4E63F86-3D61-4596-A7A4-D4F67B74324C}\chrome\content\_cfg.js

c:\documents and settings\Sharad\Local Settings\Application Data\{C4E63F86-3D61-4596-A7A4-D4F67B74324C}\chrome\content\overlay.xul

c:\documents and settings\Sharad\Local Settings\Application Data\{C4E63F86-3D61-4596-A7A4-D4F67B74324C}\install.rdf

c:\windows\5714030

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Legacy_ITLPERF

-------\Service_.afd

-------\Service_.mrxsmb

-------\Service_.netbt

-------\Service_.redbook

-------\Service_6to4

-------\Service_itlperf

.

.

((((((((((((((((((((((((( Files Created from 2011-11-25 to 2011-12-25 )))))))))))))))))))))))))))))))

.

.

2011-12-24 01:16 . 2001-08-18 03:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll

2011-12-24 01:16 . 2001-08-18 03:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll

2011-12-24 01:14 . 2001-08-18 03:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

2011-12-24 01:14 . 2001-08-18 03:36 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll

2011-12-24 01:12 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe

2011-12-24 01:09 . 2001-08-18 03:36 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll

2011-12-24 01:06 . 2001-08-18 03:36 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll

2011-12-24 01:06 . 2008-04-14 01:11 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll

2011-12-24 01:06 . 2008-04-14 01:11 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll

2011-12-24 01:06 . 2004-08-04 09:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2011-12-24 01:04 . 2004-08-04 09:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe

2011-12-24 01:03 . 2001-08-17 18:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys

2011-12-24 01:02 . 2001-08-18 03:36 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll

2011-12-24 01:01 . 2001-08-18 03:36 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll

2011-12-24 01:00 . 2001-08-18 03:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe

2011-12-24 00:59 . 2008-04-13 19:40 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys

2011-12-24 00:58 . 2001-08-17 18:50 14848 ----a-w- c:\windows\system32\dllcache\cyclom-y.sys

2011-12-24 00:57 . 2004-08-04 09:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll

2011-12-24 00:56 . 2001-08-18 03:36 37376 ----a-w- c:\windows\system32\dllcache\atievxx.exe

2011-12-24 00:14 . 2011-12-24 00:14 58880 ----a-w- c:\windows\system32\takeown.exe

2011-12-24 00:14 . 2011-12-24 01:58 24576 ----a-w- c:\windows\system32\FoolishEventLogMsgHelper.dll

2011-12-23 04:14 . 2011-12-23 04:14 -------- d-----w- c:\windows\system32\wbem\Repository

2011-12-21 03:20 . 2011-12-21 03:20 -------- d-----w- c:\program files\Common Files\iS3

2011-12-18 18:08 . 2011-12-18 18:08 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol400.dll

2011-12-18 18:08 . 2011-12-18 18:08 -------- d-----w- c:\documents and settings\Sharad\Application Data\Catalina Marketing Corp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-01 20:35 . 2004-08-10 16:51 667136 ----a-w- c:\windows\system32\wininet.dll

2011-11-01 20:35 . 2004-08-10 16:51 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-11-01 20:35 . 2004-08-10 16:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-11-01 15:02 . 2004-08-10 16:51 369664 ----a-w- c:\windows\system32\html.iec

2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-22 18:52 . 2011-10-22 18:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-18 11:13 . 2004-08-10 16:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2004-08-10 17:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-10 16:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-11-12 14:08 . 2011-06-15 20:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]

.

c:\documents and settings\Sharad\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/15/2011 4:21 PM 442200]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/15/2011 4:21 PM 320856]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/15/2011 4:21 PM 20568]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640]

R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [12/11/2006 5:07 PM 91841]

R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8/31/2007 2:57 PM 47360]

S0 esqeqsm;esqeqsm;c:\windows\system32\drivers\yllrhpue.sys --> c:\windows\system32\drivers\yllrhpue.sys [?]

S0 hssdir;hssdir;c:\windows\system32\drivers\luesj.sys --> c:\windows\system32\drivers\luesj.sys [?]

S0 nwkq;nwkq;c:\windows\system32\drivers\haoejbit.sys --> c:\windows\system32\drivers\haoejbit.sys [?]

S2 lzopdblj;Microsoft USB 2.0 Enhanced Host Controller Miniport Helper;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 11:51 AM 14336]

S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/10/2004 11:50 AM 5120]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

lzopdblj

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198180736-3335217724-2756475252-1006Core.job

- c:\documents and settings\Sharad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 15:11]

.

2011-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198180736-3335217724-2756475252-1006UA.job

- c:\documents and settings\Sharad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 15:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://finance.yahoo.com/

mStart Page = hxxp://www.dell.com

mSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: coned.com

FF - ProfilePath - c:\documents and settings\Sharad\Application Data\Mozilla\Firefox\Profiles\4fldf886.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - prefs.js: network.proxy.type - 4

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

Notify-itlntfy - itlnfw32.dll

Notify-r - itlnfw32.dll

Notify-TPSvc - TPSvc.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-25 12:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1680)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

c:\windows\system32\igfxpph.dll

c:\windows\system32\hccutils.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\RunDLL32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2011-12-25 12:33:50 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-25 17:33

ComboFix2.txt 2011-04-03 15:05

.

Pre-Run: 13,935,808,512 bytes free

Post-Run: 13,924,532,224 bytes free

.

- - End Of File - - 48B013044BD1F67B9A8AAF5C58E2ADDC

Link to post
Share on other sites

post-32477-1261866970.gif

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Please download, open, and run the QueryServices.bat inside the attached zip file and post back the NetworkDetails.txt file (as an attachment) that it will create in the root of the system drive.

GetNetworkInfo2.zip

Link to post
Share on other sites

See attached. Thanks.

Query Services version 2

...

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : Tcpip

: Afd

: NetBT

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 12

DISPLAY_NAME : TCP/IP Protocol Driver

DEPENDENCIES : IPSec

SERVICE_START_NAME :

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbt.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 14

DISPLAY_NAME : NetBios over Tcpip

DEPENDENCIES : Tcpip

SERVICE_START_NAME :

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbios.sys

LOAD_ORDER_GROUP : NetBIOSGroup

TAG : 1

DISPLAY_NAME : NetBIOS Interface

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tcpip

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1144

FLAGS :

NetworkDetails2.txt

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Driver::
lzopdblj

NetSvc::
lzopdblj

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Computer is running okay but just searches for an IP and does not find anything. The only other thing I noticed is that the DVD drive is not being recognized. See log below.

ComboFix 11-12-24.10 - Sharad 12/30/2011 22:42:48.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.411 [GMT -5:00]

Running from: c:\documents and settings\Sharad\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Sharad\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))

.

.

2011-12-24 01:16 . 2001-08-18 03:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll

2011-12-24 01:16 . 2001-08-18 03:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll

2011-12-24 01:14 . 2001-08-18 03:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

2011-12-24 01:14 . 2001-08-18 03:36 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll

2011-12-24 01:12 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe

2011-12-24 01:09 . 2001-08-18 03:36 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll

2011-12-24 01:05 . 2004-08-04 09:00 9216 ----a-w- c:\windows\system32\dllcache\kbdnecat.dll

2011-12-24 01:04 . 2004-08-04 09:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe

2011-12-24 01:03 . 2001-08-17 18:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys

2011-12-24 01:02 . 2001-08-18 03:36 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll

2011-12-24 01:01 . 2001-08-18 03:36 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll

2011-12-24 01:00 . 2001-08-18 03:36 53248 ----a-w- c:\windows\system32\dllcache\eqndiag.exe

2011-12-24 00:59 . 2008-04-13 19:40 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys

2011-12-24 00:58 . 2001-08-17 18:50 14848 ----a-w- c:\windows\system32\dllcache\cyclom-y.sys

2011-12-24 00:57 . 2004-08-04 09:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll

2011-12-24 00:56 . 2001-08-18 03:36 37376 ----a-w- c:\windows\system32\dllcache\atievxx.exe

2011-12-24 00:14 . 2011-12-24 00:14 58880 ----a-w- c:\windows\system32\takeown.exe

2011-12-24 00:14 . 2011-12-24 01:58 24576 ----a-w- c:\windows\system32\FoolishEventLogMsgHelper.dll

2011-12-23 04:14 . 2011-12-23 04:14 -------- d-----w- c:\windows\system32\wbem\Repository

2011-12-21 03:20 . 2011-12-21 03:20 -------- d-----w- c:\program files\Common Files\iS3

2011-12-18 18:08 . 2011-12-18 18:08 466944 ----a-w- c:\program files\Mozilla Firefox\plugins\NPcol400.dll

2011-12-18 18:08 . 2011-12-18 18:08 -------- d-----w- c:\documents and settings\Sharad\Application Data\Catalina Marketing Corp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-01 20:35 . 2004-08-10 16:51 667136 ----a-w- c:\windows\system32\wininet.dll

2011-11-01 20:35 . 2004-08-10 16:51 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-11-01 20:35 . 2004-08-10 16:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-11-01 15:02 . 2004-08-10 16:51 369664 ----a-w- c:\windows\system32\html.iec

2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-22 18:52 . 2011-10-22 18:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-18 11:13 . 2004-08-10 16:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22 . 2004-08-10 17:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-11-12 14:08 . 2011-06-15 20:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]

.

c:\documents and settings\Sharad\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/15/2011 4:21 PM 442200]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/15/2011 4:21 PM 320856]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/15/2011 4:21 PM 20568]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640]

R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [12/11/2006 5:07 PM 91841]

R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8/31/2007 2:57 PM 47360]

S0 esqeqsm;esqeqsm;c:\windows\system32\drivers\yllrhpue.sys --> c:\windows\system32\drivers\yllrhpue.sys [?]

S0 hssdir;hssdir;c:\windows\system32\drivers\luesj.sys --> c:\windows\system32\drivers\luesj.sys [?]

S0 nwkq;nwkq;c:\windows\system32\drivers\haoejbit.sys --> c:\windows\system32\drivers\haoejbit.sys [?]

S2 lzopdblj;Microsoft USB 2.0 Enhanced Host Controller Miniport Helper;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 11:51 AM 14336]

S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/10/2004 11:50 AM 5120]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

lzopdblj

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

.

2011-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198180736-3335217724-2756475252-1006Core.job

- c:\documents and settings\Sharad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 15:11]

.

2011-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1198180736-3335217724-2756475252-1006UA.job

- c:\documents and settings\Sharad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 15:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://finance.yahoo.com/

mStart Page = hxxp://www.dell.com

mSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: coned.com

FF - ProfilePath - c:\documents and settings\Sharad\Application Data\Mozilla\Firefox\Profiles\4fldf886.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - prefs.js: network.proxy.type - 4

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-30 22:47

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2724)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\RunDLL32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2011-12-30 22:55:58 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-31 03:55

ComboFix2.txt 2011-12-25 17:33

ComboFix3.txt 2011-04-03 15:05

.

Pre-Run: 14,287,896,576 bytes free

Post-Run: 14,278,844,416 bytes free

.

- - End Of File - - E36742BC17292C306B5B61F51AE566E2

Link to post
Share on other sites

WARNING! This fix has been made specifically for this user! If you are not this user, DO NOT run this fix, as you could seriously harm your computer. Take a few seconds extra to make a new thread, and get a fix created for you, rather than having to possibly reinstall your whole system!

Link to post
Share on other sites

We're not finished

If you don't have MBAM.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

Post the scan results using Copy/Paste

Link to post
Share on other sites

If it comes back clean, be sure to do this:

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.