Jump to content

ComboFix vs. MS AntiSpyware 2009


mby_hm
 Share

Recommended Posts

Hi,

I've been battling MSAS 2009 with multiple products for several days to no avail. There are several regkeys (e.g. HKCU/Software/CrucialSoft Ltd) that I cannot delete. I have even explicitly set permissions on the keys, but I still can't remove them.

I cannot access the internet. Trend Micro is also posting warnings that cftmon.exe and explorer.exe have been blocked due to "Program Library Injection."

After reading posts where people had similar symptoms, I ran ComboFix.exe. I've attached the log from CF as well as HijackThis.

Thanks in advance for your help.

Mike

ComboFix 09-02-05.01 - User 2009-02-05 20:07:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.665 [GMT -6:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\config\systemprofile\Application Data\rhcnd4j0etdg

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\Temp\1454879362.exe

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TCPSR

-------\Legacy_TDSSSERV.SYS

-------\Service_Passthru

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-03 21:44 . 2009-02-03 21:44 66,560 ---h----- c:\windows\system32\secupdat.dat

2009-01-07 08:50 . 2008-09-04 10:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2009-01-07 08:50 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-01-07 08:50 . 2008-10-03 04:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-05 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-04 06:58 --------- d-----w c:\documents and settings\User\Application Data\MxBoost

2009-02-04 03:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-27 13:22 --------- d-----w c:\program files\World of Warcraft

2009-01-24 14:18 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-05 10:55 --------- d-----w c:\program files\Google

2008-12-17 04:11 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-17 04:08 61,440 ----a-w c:\windows\system32\drivers\jqnjsum.sys

2008-12-17 04:08 1,088 ----a-w c:\program files\dvvxzq.txt

2008-12-17 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-16 04:14 --------- d-----w c:\program files\Maxthon2

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

.

------- Sigcheck -------

2002-09-03 13:57 29696 7cdcd4f11d3bed9054a1da40b9668497 c:\windows\$NtServicePackUninstall$\svchost.exe

2004-08-04 02:56 31232 21b60f5bc1519245d587a6d0bca03fd2 c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-13 18:12 31232 3d1edaa9965550238f62c7b88a12ba2b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe

2004-08-04 02:56 31232 afbc35b52a82d7f927ea2e8243857133 c:\windows\system32\svchost.exe

2004-08-04 02:56 1049088 a8f3fdfaa52b1680aa2fe7aa12fc0985 c:\windows\explorer.exe

2002-09-03 13:37 1020928 eb08474ae5819caca2be9457295f392b c:\windows\$NtServicePackUninstall$\explorer.exe

2004-08-04 02:56 1049088 6d069a0fc30a2e7d3374ef81386ba9e2 c:\windows\ServicePackFiles\i386\explorer.exe

2008-04-13 18:12 1050624 0c3fcb3f725024cccb4a2e67878eedc1 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

2002-09-03 13:35 30208 98e3f3e8cbcd1e5781063accaf0fe570 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2004-08-04 02:56 32256 cef733a2d6df2bab6c209153b25e45ad c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-13 18:12 32256 3d50d7ed139a991037df7e01bb24299f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe

2004-08-04 02:56 32256 8c49f0a46851c9e3111537944c5cc3ac c:\windows\system32\ctfmon.exe

2002-09-03 13:57 68096 79a99d94fe1d87f6312ba3548f887e75 c:\windows\$NtServicePackUninstall$\spoolsv.exe

2004-08-04 02:56 74752 c5fec661b03987349c98423a78279f48 c:\windows\ServicePackFiles\i386\spoolsv.exe

2008-04-13 18:12 74752 4be76bc14f7b33fef4a3843038184dc7 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe

2004-08-04 02:56 74752 ed401ec29d24726c76b4971b06703788 c:\windows\system32\spoolsv.exe

2002-09-03 14:00 38912 ee50cb2cf65b9edd313008b3f01111f3 c:\windows\$NtServicePackUninstall$\userinit.exe

2004-08-04 02:56 41472 f52e85185c89192e3a8337c73f7869e1 c:\windows\ServicePackFiles\i386\userinit.exe

2008-04-13 18:12 43008 aef39fdc78b1b8c32e4a6bd7f7e94b6b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe

2004-08-04 02:56 41472 636e5a0a2ba5882230e9c11f2bee561a c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1850608]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 208896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-02 09:39 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cgl72.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqu04.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrv72.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-30 28544]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-08-29 170640]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-31 52240]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-08-29 15504]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]

R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-31 648456]

S0 Cgl72;Cgl72;c:\windows\system32\Drivers\Cgl72.sys --> c:\windows\system32\Drivers\Cgl72.sys [?]

S0 Lqu04;Lqu04;c:\windows\system32\Drivers\Lqu04.sys --> c:\windows\system32\Drivers\Lqu04.sys [?]

S0 Mrv72;Mrv72;c:\windows\system32\Drivers\Mrv72.sys --> c:\windows\system32\Drivers\Mrv72.sys [?]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-windpipe - c:\documents and settings\User\Application Data\Google\fhexj6825097.exe

HKU-Default-Run-tjytqotn.exe - c:\windows\tjytqotn.exe

SafeBoot-ecofdjtt.sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rxtstq7s.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 20:12:37

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3458104535-1627790608-1016251302-1003\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]

@DACL=(02 0000)

"Start Counter"=dword:00000001

"InstallTime"=hex:a5,9d,86,a8,f1,74,e3,40

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(372)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\Trend Micro\Internet Security\SfCtlCom.exe

c:\program files\Trend Micro\BM\TMBMSRV.exe

.

**************************************************************************

.

Completion time: 2009-02-05 20:14:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-06 02:14:20

Pre-Run: 11,741,511,680 bytes free

Post-Run: 11,737,538,560 bytes free

180 --- E O F --- 2009-01-14 19:09:11

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:18:57, on 2/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 4108 bytes

Link to post
Share on other sites

  • Root Admin

STEP 1

Download but do not yet run ComboFix

Please delete your previous version of Combofix.exe, and download a NEW fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
Cgl72
Lqu04
Mrv72

File::
c:\windows\system32\Drivers\Cgl72.sys
c:\windows\system32\Drivers\Lqu04.sys
c:\windows\system32\Drivers\Mrv72.sys

RegLock::
[HKEY_USERS\S-1-5-21-3458104535-1627790608-1016251302-1003\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cgl72.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqu04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mrv72.sys]
[-HKEY_USERS\S-1-5-21-3458104535-1627790608-1016251302-1003\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click Format and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: CFscript.txt .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 2

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

I followed the instructions and ComboFix is hanging. The first time it ran for about an hour, and I ended up doing a hard reboot.

I double-checked that I'd copied the text exactly and that all anti-virus and anti-malware software was deactivated. I dragged the cfscript file on to ComboFix.exe about two hours ago and it's still running - never gets past saying that it typically takes 10 minutes, but scan times for infected machines may double. I can't do anything else but a hard reboot, Ctrl+Alt+Del included.

I don't know if this is relevent, but the instructions said to allow the restore, which I couldn't do because I had disconnected the internet (and wouldn't have worked even if it wasn't disconnected since MSAS has blocked my access).

Please let me know what I should try next.

Thanks,

Mike

Link to post
Share on other sites

UPDATE: I could not find the .sys files referenced in the cfscript.txt file on my system, so I tried deleting them and running combofix with the script file only including the reg entries. It ran that time.

After I rebooted, I still could not access MB updates - the Current db information is 1/14/2009, v1654. I ran it regardless, and attached are the combofix and MBAM logs.

Thanks!

ComboFix 09-02-05.02 - User 2009-02-06 18:43:43.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.705 [GMT -6:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\cfscript.txt

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))

.

2009-02-03 21:44 . 2009-02-03 21:44 66,560 ---h----- c:\windows\system32\secupdat.dat

2009-01-07 08:50 . 2008-09-04 10:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2009-01-07 08:50 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-01-07 08:50 . 2008-10-03 04:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-06 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-02-04 06:58 --------- d-----w c:\documents and settings\User\Application Data\MxBoost

2009-02-04 03:42 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-27 13:22 --------- d-----w c:\program files\World of Warcraft

2009-01-24 14:18 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-05 10:55 --------- d-----w c:\program files\Google

2008-12-17 04:11 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-17 04:08 61,440 ----a-w c:\windows\system32\drivers\jqnjsum.sys

2008-12-17 04:08 1,088 ----a-w c:\program files\dvvxzq.txt

2008-12-17 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-16 04:14 --------- d-----w c:\program files\Maxthon2

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

.

------- Sigcheck -------

2002-09-03 13:57 29696 7cdcd4f11d3bed9054a1da40b9668497 c:\windows\$NtServicePackUninstall$\svchost.exe

2004-08-04 02:56 31232 21b60f5bc1519245d587a6d0bca03fd2 c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-13 18:12 31232 3d1edaa9965550238f62c7b88a12ba2b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe

2004-08-04 02:56 31232 afbc35b52a82d7f927ea2e8243857133 c:\windows\system32\svchost.exe

2004-08-04 02:56 1049088 a8f3fdfaa52b1680aa2fe7aa12fc0985 c:\windows\explorer.exe

2002-09-03 13:37 1020928 eb08474ae5819caca2be9457295f392b c:\windows\$NtServicePackUninstall$\explorer.exe

2004-08-04 02:56 1049088 6d069a0fc30a2e7d3374ef81386ba9e2 c:\windows\ServicePackFiles\i386\explorer.exe

2008-04-13 18:12 1050624 0c3fcb3f725024cccb4a2e67878eedc1 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

2002-09-03 13:35 30208 98e3f3e8cbcd1e5781063accaf0fe570 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2004-08-04 02:56 32256 cef733a2d6df2bab6c209153b25e45ad c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-13 18:12 32256 3d50d7ed139a991037df7e01bb24299f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe

2004-08-04 02:56 32256 8c49f0a46851c9e3111537944c5cc3ac c:\windows\system32\ctfmon.exe

2002-09-03 13:57 68096 79a99d94fe1d87f6312ba3548f887e75 c:\windows\$NtServicePackUninstall$\spoolsv.exe

2004-08-04 02:56 74752 c5fec661b03987349c98423a78279f48 c:\windows\ServicePackFiles\i386\spoolsv.exe

2008-04-13 18:12 74752 4be76bc14f7b33fef4a3843038184dc7 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe

2004-08-04 02:56 74752 ed401ec29d24726c76b4971b06703788 c:\windows\system32\spoolsv.exe

2002-09-03 14:00 38912 ee50cb2cf65b9edd313008b3f01111f3 c:\windows\$NtServicePackUninstall$\userinit.exe

2004-08-04 02:56 41472 f52e85185c89192e3a8337c73f7869e1 c:\windows\ServicePackFiles\i386\userinit.exe

2008-04-13 18:12 43008 aef39fdc78b1b8c32e4a6bd7f7e94b6b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe

2004-08-04 02:56 41472 636e5a0a2ba5882230e9c11f2bee561a c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_20.13.29.25 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2005-10-21 02:02:28 183,808 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-02-06 02:11:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-07 00:46:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-24 1850608]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 208896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-02 09:39 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-30 28544]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-28 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-28 55024]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-08-29 170640]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-08-29 15504]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-31 52240]

S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-31 648456]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rxtstq7s.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-06 18:47:12

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(372)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

.

**************************************************************************

.

Completion time: 2009-02-06 18:49:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-07 00:48:51

ComboFix2.txt 2009-02-07 00:39:55

ComboFix3.txt 2009-02-07 00:06:00

ComboFix4.txt 2009-02-06 02:14:25

Pre-Run: 11,638,607,872 bytes free

Post-Run: 11,626,938,368 bytes free

141 --- E O F --- 2009-01-14 19:09:11

Malwarebytes' Anti-Malware 1.33

Database version: 1654

Windows 5.1.2600 Service Pack 2

2/6/2009 6:53:46 PM

mbam-log-2009-02-06 (18-53-46).txt

Scan type: Quick Scan

Objects scanned: 45066

Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

FURTHER UPDATE: using SubInACL, I was able to reset permissions on the pernicious regkeys and delete them. Now my only remaining problem seems to be that I can't access the internet. When I try, Trend Micro bocks it with the messgae that iexplore.exe has a Program Library Injection.

Attached is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:04:06, on 2/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 4131 bytes

Link to post
Share on other sites

  • Root Admin

Okay Mike, thanks for the follow-up. Take a look at this other information which may help to keep you from getting in that boat again.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.