Jump to content

Help! I've tried everything!!!


Recommended Posts

I'm cleaning a PC for a friend that wasn't very descriptive of what he got into... So through my normal process I built a new Ultimate Boot CD For Windows with all the latest anti-virus and anti-spyware definitions and scanned the hell out of it with everything: Malwarebytes, SuperAntiSpyware, EZPCFix, Spybot Search & Destroy, virus cleaners etc. I kept running the scans until they came up clean. Next I scanned it with Trend Micro's Sysclean package, once from UBCD4WIN and once from Safe Mode, both times came up clean. I thought I was all set at this point so I booted normally, uninstalled/reinstalled and updated all protection software... AVG Free 8.5, Windows Defender, Malwarebytes. I also logged into each account and ran CCleaner. I tried running Windows Updates, which ran, but the updates failed to install. Not a big deal, I'll deal with that later. Now when I try to run any executable/anti-malware/virus app, it opens, allows me to select what to scan, hit the scan button then "poof" it's gone, no process in Task Manager, nothing. This happens for Malwarebytes, Autoruns, Combofix, etc. in Safe Mode and normal mode. I've tried renaming the files to "whatever.exe, whatever.scr, whatever.bat", doesn't matter, they still won't run. The really weird thing is when you go into the properties of the executable (like mbam.exe) the property tabs now look like it's a DOS app with a "Program" tab, "Memory" tab, etc. and in the Security tab the only object in the ACL is "Everyone" so when you try to double click on the .exe you get a Windows error to the effect of Access Denied or Can't Find File because the security has changed. To get around that I would add the user account I'm logged into into the ACL and it would allow me to run the executable but it still disappears after a few seconds.

I'm not getting any pop-ups from any rogue apps and no browser hijacks are happening so it seems I have made some progress but not enough. With the current condition of the machine I'm unable to run HijackThis (I tried) to generate a log file. I've been following suggestions from this forum and a good post on malware removal on majorgeeks to no avail. My next step (when I get back to my workbench) is to run EZPCFix and other registry cleaners from UBCD4WIN to see if I can identify what's killing these executables/processes or pull the drive and slave it in another PC to see what will run on it. I'm trying to avoid having to reload the OS as they have alot of software on the box and this is for a friend so no "payment" has been discussed (yet). Although time-wise I could've reloaded the OS 3 times over by now!

Any help on this would be greatly appreciated. If someone can get me to point of getting a successful HJ log I know I can get rid of this!

Link to post
Share on other sites

Hi tbeish, Welcome to Malwarebytes :(

Step #1

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Step #2

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

Link to post
Share on other sites

Thanks. Here are some logs of the fixes I've been able to run successfully...

ComboFix 09-08-19.0C - Dickie 08/20/2009 17:34.1.1 - NTFSx86

Running from: c:\documents and settings\Dickie\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Carise\Application Data\alot

c:\documents and settings\Darien\Application Data\alot

c:\windows\Installer\24234c.msi

c:\windows\Installer\24234d.msp

c:\windows\Installer\24234e.msp

c:\windows\Installer\24234f.msp

c:\windows\Installer\242350.msp

c:\windows\Installer\242351.msp

c:\windows\Installer\242352.msp

c:\windows\Installer\242353.msp

c:\windows\Installer\242354.msp

c:\windows\Installer\242355.msp

c:\windows\Installer\5144c.msp

c:\windows\Installer\5144d.msp

c:\windows\Installer\5144e.msp

c:\windows\Installer\5144f.msp

c:\windows\Installer\51450.msp

c:\windows\Installer\51451.msp

c:\windows\Installer\51452.msp

c:\windows\Installer\51453.msp

c:\windows\Installer\51454.msp

c:\windows\Installer\51455.msp

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\system32\sysnet.dat

Infected copy of c:\windows\system32\scecli.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\scecli.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))

.

2009-08-20 11:47 . 2009-08-20 11:47 -------- d--h--w- C:\$AVG8.VAULT$

2009-08-18 18:00 . 2009-08-18 18:00 -------- d-----w- c:\documents and settings\todd\Application Data\Malwarebytes

2009-08-18 04:09 . 2009-08-18 04:10 94701 ----a-w- C:\MGlogs.zip

2009-08-17 21:33 . 2009-08-18 04:10 -------- d-----w- C:\MGtools

2009-08-17 20:23 . 2009-08-18 03:55 117760 ----a-w- c:\documents and settings\Dickie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-17 20:23 . 2009-08-17 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\documents and settings\Dickie\Application Data\SUPERAntiSpyware.com

2009-08-17 20:22 . 2009-08-17 20:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 18:23 . 2009-08-17 18:23 -------- d--h--w- c:\windows\PIF

2009-08-16 20:22 . 2009-08-16 20:22 -------- d-----w- c:\documents and settings\Carise\Application Data\Malwarebytes

2009-08-16 20:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-16 20:22 . 2009-08-18 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-16 20:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-16 20:20 . 2009-08-16 20:20 -------- d-----w- c:\program files\Windows Defender

2009-08-16 20:18 . 2009-08-16 20:18 -------- d-----w- c:\documents and settings\Carise\Application Data\Canneverbe_Limited

2009-08-16 20:18 . 2009-08-16 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2009-08-16 20:17 . 2009-08-16 20:17 -------- d-----w- c:\program files\CDBurnerXP

2009-08-16 20:13 . 2009-08-16 20:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-16 20:13 . 2009-08-16 20:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-16 20:13 . 2009-08-16 20:13 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-16 20:13 . 2009-08-16 20:13 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-16 20:13 . 2009-08-18 17:42 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-16 20:13 . 2009-08-16 20:13 -------- d-----w- c:\program files\AVG

2009-08-16 20:13 . 2009-08-16 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-16 19:01 . 2009-08-16 19:02 -------- d-----w- c:\program files\QuickTime

2009-08-16 19:00 . 2009-08-16 19:00 -------- d-----w- c:\program files\IrfanView

2009-08-16 18:59 . 2009-08-16 18:59 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-16 18:58 . 2009-08-16 18:58 -------- d-----w- c:\documents and settings\Carise\Application Data\vlc

2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\program files\VideoLAN

2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\documents and settings\Carise\Application Data\ImgBurn

2009-08-16 18:57 . 2009-08-16 18:57 -------- d-----w- c:\program files\ImgBurn

2009-08-16 18:56 . 2009-08-16 18:56 -------- d-----w- c:\program files\Defraggler

2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\program files\CCleaner

2009-08-16 05:40 . 2009-08-16 05:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-16 00:28 . 2009-08-16 18:21 -------- d-----w- C:\sysclean

2009-08-12 21:55 . 2009-08-12 21:55 -------- d-----w- c:\windows\Recent

2009-08-11 02:39 . 2009-08-11 02:39 19857 ----a-w- c:\documents and settings\Dickie\Application Data\omehara.scr

2009-08-11 02:39 . 2009-08-11 02:39 17505 ----a-w- c:\windows\system32\yvovinos.pif

2009-08-11 02:39 . 2009-08-11 02:39 15373 ----a-w- c:\windows\kisofibed.sys

2009-08-11 02:39 . 2009-08-11 02:39 13998 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\akujoty.bin

2009-08-11 02:39 . 2009-08-11 02:39 13989 ----a-w- c:\windows\guvi.exe

2009-08-11 02:39 . 2009-08-11 02:39 13873 ----a-w- c:\windows\iqejuhap.bin

2009-08-11 02:39 . 2009-08-11 02:39 12676 ----a-w- c:\program files\Common Files\irasetak.bin

2009-08-11 02:39 . 2009-08-11 02:39 12331 ----a-w- c:\windows\yqiqy.com

2009-08-11 02:13 . 2009-08-11 02:13 19499 ----a-w- c:\windows\qodyw.bin

2009-08-11 02:13 . 2009-08-11 02:13 19022 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\ibyvemaly.vbs

2009-08-11 02:13 . 2009-08-11 02:13 18001 ----a-w- c:\documents and settings\Dickie\Local Settings\Application Data\idac.com

2009-08-11 02:13 . 2009-08-11 02:13 17083 ----a-w- c:\windows\ebirixora.com

2009-08-11 02:13 . 2009-08-11 02:13 16295 ----a-w- c:\documents and settings\All Users\Application Data\iveceneq.com

2009-08-11 02:13 . 2009-08-11 02:13 15222 ----a-w- c:\windows\tegitaked.scr

2009-08-11 02:13 . 2009-08-11 02:13 15163 ----a-w- c:\windows\ymuqenoxej.bin

2009-08-11 02:13 . 2009-08-11 02:13 15059 ----a-w- c:\windows\system32\emapot.sys

2009-08-11 02:13 . 2009-08-11 02:13 12560 ----a-w- c:\windows\system32\roganylyz.dat

2009-08-11 02:13 . 2009-08-11 02:13 11485 ----a-w- c:\program files\Common Files\fowosydoge.com

2009-08-03 00:10 . 2009-08-03 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware

2009-08-03 00:06 . 2009-08-03 00:07 -------- d-----w- c:\documents and settings\Dickie\Application Data\DriverCure

2009-08-03 00:06 . 2009-08-03 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2009-08-03 00:06 . 2009-08-03 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-16 20:16 . 2007-01-06 20:34 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-16 18:59 . 2007-01-06 20:33 -------- d-----w- c:\program files\Java

2009-08-16 18:37 . 2007-01-06 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-08-11 04:08 . 2008-07-13 22:45 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\prvlcl.dat

2009-08-11 02:39 . 2009-08-11 02:39 15609 ----a-w- c:\program files\Common Files\ahuqykebav._sy

2009-08-09 13:19 . 2007-01-06 20:33 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-01 17:31 . 2008-11-14 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2009-07-20 18:59 . 2007-06-24 00:09 -------- d-----w- c:\documents and settings\Darien\Application Data\LimeWire

2009-07-14 03:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 04:56 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:36 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:09 . 2004-08-04 04:56 1291264 ----a-w- c:\windows\system32\quartz.dll

2007-06-21 23:38 . 2007-06-21 23:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2007-06-21 23:38 . 2007-06-21 23:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2007-06-21 23:38 . 2007-06-21 23:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2007-06-21 23:38 . 2007-06-21 23:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2007-06-21 23:39 . 2007-06-21 23:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2007-06-21 23:39 . 2007-06-21 23:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-06-21 23:39 . 2007-06-21 23:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll

2007-06-21 23:39 . 2007-06-21 23:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2007-06-21 23:40 . 2007-06-21 23:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2007-01-06 53248]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 20:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 df88fa6f;df88fa6f;c:\windows\System32\drivers\df88fa6f.sys [x]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-16 908056]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\SiriusUSB.sys [2005-09-03 7552]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]

R3 utexnjq5;AVZ Kernel Driver;c:\windows\system32\Drivers\utexnjq5.sys [x]

S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2006-02-23 11264]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-16 335240]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-16 108552]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-16 297752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Dickie\Application Data\Mozilla\Firefox\Profiles\t6mf1e5h.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-20 17:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3056)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\IJPLM\ijplmsvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-08-20 17:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-20 21:43

Pre-Run: 135,463,813,120 bytes free

Post-Run: 135,388,782,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

[spybotsd]

timeout.old=5

330 --- E O F --- 2009-08-20 17:38

Win32kDiag.txt

RootRepeal_report_08_20_09__18_34_43_.txt

ComboFix.txt

mbam_log_2009_08_20__19_22_59_.txt

Link to post
Share on other sites

  • Staff

Hi tbeish,

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=21976
KILLALL::
Collect::
c:\documents and settings\Dickie\Application Data\omehara.scr
c:\windows\system32\yvovinos.pif
c:\windows\kisofibed.sys
c:\documents and settings\Dickie\Local Settings\Application Data\akujoty.bin
c:\windows\guvi.exe
c:\windows\iqejuhap.bin
c:\program files\Common Files\irasetak.bin
c:\windows\yqiqy.com
c:\windows\qodyw.bin
c:\documents and settings\Dickie\Local Settings\Application Data\ibyvemaly.vbs
c:\documents and settings\Dickie\Local Settings\Application Data\idac.com
c:\windows\ebirixora.com
c:\documents and settings\All Users\Application Data\iveceneq.com
c:\windows\tegitaked.scr
c:\windows\ymuqenoxej.bin
c:\windows\system32\emapot.sys
c:\windows\system32\roganylyz.dat
c:\program files\Common Files\fowosydoge.com
Driver::
df88fa6f
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, please delete your copy of Win32kDiag.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Next, update MBAM, run a Quick Scan, and post its log.

-screen317

Link to post
Share on other sites

  • Staff

Hi tbeish,

Here are the logs... thanks for your help Chris.
You're welcome. :lol:

Things are looking good. :)

Please don't attach logs; post them in a reply instead.

How are things running on your computer?

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

After that, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

Everything is runnin' smoooooth as far as I can tell...

Here's the latest logs:

F-Secure Log:

Scanning Report

Sunday, August 23, 2009 02:25:05 - 03:16:38

Computer name: DINICOLAS

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

4 malware found

Generic.Peed.Eml.39CAEFAD (virus)

C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\TRASH\YOU'VE RECEIVED A GREETING CARD FROM A NEIGHBOUR!_598_20080120_003249_656.EML (Not cleaned & Submitted)

Generic.Peed.Eml.71AD408E (virus)

C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\TRASH\YOU'VE RECEIVED A POSTCARD FROM A COLLEAGUE!_540_20080120_003246_000.EML (Not cleaned & Submitted)

Generic.Peed.Eml.DA620C5E (virus)

C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\INBOX\YOU'VE RECEIVED A GREETING CARD FROM A NEIGHBOUR!_802_20080120_002822_343.EML (Not cleaned & Submitted)

Generic.Peed.Eml.71AD408E (virus)

C:\DOCUMENTS AND SETTINGS\CARISE\MY DOCUMENTS\MAIL\INBOX\YOU'VE RECEIVED A POSTCARD FROM A COLLEAGUE!_763_20080120_002819_437.EML (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 50983

System: 2907

Not scanned: 14

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 4

Submitted: 4

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

C:\PROGRAM FILES\WINDOWS DEFENDER\MSMPENG.EXE

C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MB.EXE

C:\PROGRAM FILES\AVG\AVG8\AVGCSRVX.EXE

C:\MGTOOLS\ANALYSE.EXE

C:\DOCUMENTS AND SETTINGS\DICKIE\DESKTOP\DICKIE\AUTORUNS\WINLOGON.SCR

C:\DOCUMENTS AND SETTINGS\CARISE\DESKTOP\HIJACKTHIS.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4F7E2D0D77365C3000E013BB758BF41E_03FFA088-78A9-4A82-8C59-725D6DD3EDB2

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

NOTE: I deleted the 4 malware items F-Secure found along with several of the files it couldn't scan because the file permissions were changed from the rootkit.

Security Check Log:

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG Free 8.5

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Windows Defender

Malwarebytes' Anti-Malware

Gmer

CCleaner (remove only)

Java 6 Update 16

Adobe Flash Player 10

Adobe Reader 9.1

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Thanks again Chris... keep me posted!

Link to post
Share on other sites

  • Staff

Hi,

Good to hear things are running smoothly. :lol:

Delete SecurityCheck.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.