Jump to content

Can't Run Mbam, access blocked, loseing control.


Recommended Posts

By the way, I forgot to mention that "c:\windows\system32\Drivers\HNPsSdk.drv" is no longer there, so I cant have it looked at.

Here is checkup.txt:

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

CA eTrust EZ Antivirus

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Windows Defender

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.4

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

Hey,

I greatly appreciate all the help that you have given me, but in attempting to run Mbam often enough to not require safe mode I noticed that the file "C:\WINDOWS\system32\uacinit.dll" never acutally cleans. So I googled it and ended up back at this forum at the following thread:

http://www.bleepingcomputer.com/forums/topic227700.html

It looks like a lot of the issues I am having were also experienced by Wizzle. At this point I am quite comfortable formating, but would appreciate a little additional feedback. Over this process of this cleaning I have burned some files to DVD in attempt of backing things up. However, I find myself questioning if it is wise to trust these potentially infected files.

Is there a reliable and modern resource detailing:

1- What types of files can be trusted from an infected machine

2- The best order to reinstall programs for the highest level of security

3- I have the standard C: setup, with a smaller (faster) D: drive that I use for some games and storage. Is it possible/likely that the D: is also infected?

I expect to be "preparing" to format for the next few days and am likely to actually Nuke the C: on thurs morning. Any feedback before then would be greatly appreciated.

Thanks.

Link to post
Share on other sites

  • Staff

Hi,

On an infected system, most files can be trusted,unless you have a file infector, which your logs do not indicate.

It is not likely that your D drive is infected too. Running a scan with your antivirus would show an infection.

I would like to see the results of this scan.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I ran ComboFix and then my my antivirus. I will post the CF log, but the antivirus came up with nothing. I will run and post HiJackThis next. Here is the CF log:

ComboFix 09-09-01.07 - Potter House 09/02/2009 9:44.2.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2613 [GMT -7:00]

Running from: c:\documents and settings\Potter House\Desktop\CampingFox.exe

AV: eTrust EZ Antivirus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\run.log

c:\windows\system32\drivers\kbiwkmxfnhtite.sys

c:\windows\system32\drivers\UACkkdvjxvoaf.sys

c:\windows\system32\kbiwkmmdujewnd.dat

c:\windows\system32\kbiwkmpshyiyoy.dll

c:\windows\system32\kbiwkmxjtqpgnb.dat

c:\windows\system32\kbiwkmxrmqlxgq.dll

c:\windows\system32\UACbnieqgvpxe.dll

c:\windows\system32\UACdfmlmwubje.dll

c:\windows\system32\UACeombgvsrcn.db

c:\windows\system32\UACksrldedwod.dll

c:\windows\system32\uacksrldedwod.dll.uss_dis

c:\windows\system32\UACouooytegfv.dat

c:\windows\system32\UACxljaoyrvcd.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmvxobogji

-------\Legacy_kbiwkmvxobogji

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-31 03:22 . 2009-08-31 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-08-30 01:06 . 2009-08-30 01:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-28 15:45 . 2009-08-28 15:48 -------- d-s---w- C:\Comb-Fox

2009-08-27 16:41 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-08-27 16:05 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-27 16:05 . 2009-08-27 16:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-27 16:05 . 2009-08-27 16:05 -------- d-----w- c:\program files\Lavasoft

2009-08-27 04:56 . 2009-08-27 04:58 -------- d-s---w- C:\ComboHyphenFix

2009-08-26 18:28 . 2009-08-26 18:30 -------- d-s---w- C:\NoJoke

2009-08-26 15:45 . 2009-08-26 15:46 -------- d-s---w- C:\MiddleFingerCF

2009-08-25 16:02 . 2009-08-25 16:03 -------- d-s---w- C:\LilBunnyCF

2009-08-24 04:24 . 2009-08-25 15:58 -------- d-s---w- C:\ComboFix

2009-08-24 03:15 . 2009-08-24 03:20 -------- d-s---w- C:\Combo-Fix

2009-08-23 05:09 . 2009-08-23 05:09 -------- d-----w- C:\installers

2009-08-22 02:04 . 2009-08-22 02:04 -------- d-----w- c:\program files\Trend Micro

2009-08-22 02:03 . 2009-08-21 20:51 812344 ----a-w- c:\documents and settings\Potter House\HJTInstall.exe

2009-08-22 00:10 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 00:10 . 2009-09-02 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-MalwareSAFE

2009-08-22 00:10 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-22 00:02 . 2009-08-22 00:02 -------- d-----w- c:\program files\Trend MicroSAFE

2009-08-21 23:46 . 2009-08-21 23:47 -------- d-----w- C:\92b1978b295196649367e8

2009-08-21 23:46 . 2009-08-21 23:57 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-21 23:20 . 2009-08-27 16:28 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-21 23:20 . 2009-08-27 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-21 21:13 . 2009-08-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-21 19:58 . 2009-08-21 19:58 174080 ----a-w- C:\btfoltoo.exe

2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\Potter House\Application Data\Malwarebytes

2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-19 05:35 . 2009-08-19 05:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-13 05:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-06 20:41 . 2009-08-07 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 16:09 . 2009-08-27 16:30 5632 --sha-w- c:\program files\Thumbs.db

2009-09-01 06:03 . 2008-04-25 17:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\gtk-2.0

2009-08-31 04:04 . 2009-01-27 19:33 -------- d-----w- c:\documents and settings\Potter House\Application Data\Key Folder

2009-08-31 04:04 . 2008-05-15 18:01 -------- d-----w- c:\program files\WMA to MP3 Converter

2009-08-28 18:46 . 2008-04-24 00:21 -------- d-----w- c:\documents and settings\Potter House\Application Data\TrueCrypt

2009-08-27 23:31 . 2008-03-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-27 17:02 . 2008-05-26 19:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\LimeWire

2009-08-27 16:43 . 2008-04-15 14:45 86864 ----a-w- c:\documents and settings\Potter House\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-27 16:23 . 2009-04-02 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation

2009-08-18 17:25 . 2008-08-23 16:31 -------- d-----w- c:\program files\Firefox

2009-08-18 17:22 . 2009-03-30 17:42 -------- d-----w- c:\documents and settings\Potter House\Application Data\uTorrent

2009-08-13 13:26 . 2008-04-17 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-07 01:03 . 2009-02-26 19:01 5 ----a-w- c:\windows\sbacknt.bin

2009-08-06 20:35 . 2008-04-15 20:21 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 20:21 . 2009-02-26 18:57 152904 ----a-w- c:\windows\system32\vghd.scr

2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2005-08-16 10:18 915456 ------w- c:\windows\system32\wininet.dll

2009-06-26 04:13 . 2008-09-16 22:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll

2008-06-10 01:23 . 2008-04-24 03:30 88 --sh--r- c:\windows\system32\254C04F909.sys

2006-05-03 10:06 . 2009-01-26 19:28 163328 --sh--r- c:\windows\system32\flvDX.dll

2008-06-10 01:24 . 2008-04-24 03:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2007-02-21 11:47 . 2009-01-26 19:28 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-01-26 19:28 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-28_18.23.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-03-25 19:18 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe

+ 2008-04-15 14:24 . 2009-09-02 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2008-04-15 14:24 . 2009-08-28 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2008-04-15 14:24 . 2009-08-28 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-04-15 14:24 . 2009-09-02 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-08-19 05:35 . 2009-09-01 15:00 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2009-08-19 05:35 . 2009-08-26 16:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2008-04-15 14:24 . 2009-09-02 15:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-04-15 14:24 . 2009-08-28 15:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-09-02 15:55 . 2009-09-02 16:14 2258 c:\windows\SoftwareDistribution\EventCache\{645A0953-4128-466F-913E-77EF40D7CD91}.bin

+ 2009-07-10 17:39 . 2009-07-10 17:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CaISSDT"="d:\program files\eTrust\caissdt.exe" [2006-06-26 165392]

"CaAvTray"="d:\program files\eTrust\eTrust EZ Antivirus\CAVTray.exe" [2008-04-15 230928]

"CAVRID"="d:\program files\eTrust\eTrust EZ Antivirus\CAVRID.exe" [2008-04-15 185872]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Games\\Splinter Cell\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11980:TCP"= 11980:TCP:BitComet 11980 TCP

"11980:UDP"= 11980:UDP:BitComet 11980 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 9:05 AM 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S2 efxrlnr;efxrlnr;c:\windows\system32\drivers\xiuzw.sys --> c:\windows\system32\drivers\xiuzw.sys [?]

S2 hkgiv;hkgiv;c:\windows\system32\drivers\uieprale.sys --> c:\windows\system32\drivers\uieprale.sys [?]

S2 lxaipujx;lxaipujx;c:\windows\system32\drivers\Iuat.sys --> c:\windows\system32\drivers\Iuat.sys [?]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [12/10/2008 5:55 PM 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [12/10/2008 5:55 PM 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [12/10/2008 5:55 PM 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [12/10/2008 5:55 PM 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [12/10/2008 5:55 PM 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [12/10/2008 5:55 PM 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [12/10/2008 5:55 PM 115752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-09-02 c:\windows\Tasks\User_Feed_Synchronization-{EA44E479-FB04-4855-AFB1-08BE50634A84}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = www.angelfire.com/wa3/potterhouse/uberpage.mht

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://uk.games.myspace.com/gameshell/games/channel--110372603/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FF - ProfilePath - c:\documents and settings\Potter House\Application Data\Mozilla\Firefox\Profiles\unb5fzhk.default\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 09:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE??R?.?E?X?E??

CTxfiHlp = CTXFIHLP.EXE??P?.?E?X?E??

DLA = c:\windows\System32\DLA\DLACTRLW.EXE??\?D?L?A?\?D?L?A?C?T?R?L?W?.?E?X?E??

ISUSScheduler = "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start??h?i?e?l?d?\?U?p?d?a?t?e?S?e?r?v?i?c?e?\?i?s?s?c?h?.?e?x?e?"? ?-?s?t?a?r?t??

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]

"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oanhccajkkpbaobmmafebgpgoaohne"=hex:64,61,6e,62,6e,68,69,6e,00,90

"oajhgelahcijbiomgfdpodbkbedeap"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e,

6f,65,70,6d,6d,66,64,6f,00,00

"napgablpacflgkjnjmdlokjfcehn"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e,

6f,65,70,6d,6d,66,64,6f,00,00

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:53,de,e6,7e,7c,da,a6,0f,36,c1,f7,48,55,1e,35,6e,a5,b6,d4,4d,8b,26,9b,

b6,f8,ef,c8,a0,e5,f5,16,5e,6c,8a,cf,4d,ba,8e,70,73,5c,f1,e1,76,8f,7b,ca,73,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\License information*]

"datasecu"=hex:dc,d6,a7,df,41,30,ef,39,68,a0,21,db,8a,1a,d8,d9,76,a2,5f,f8,0c,

40,26,a6,a2,3d,f2,59,b2,dd,27,59,06,0a,88,2c,0e,7c,46,02,f9,d4,3f,33,ae,b1,\

"rkeysecu"=hex:bc,f5,52,ce,8d,e9,7b,80,30,16,f4,58,23,11,cd,b4

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2009-09-02 9:56

ComboFix-quarantined-files.txt 2009-09-02 16:56

ComboFix2.txt 2009-08-28 18:32

Pre-Run: 196,527,501,312 bytes free

Post-Run: 196,941,139,968 bytes free

248 --- E O F --- 2009-09-01 04:36

Link to post
Share on other sites

Is HJT supposed to only take about 1 second to run? I dont think I have ever been successful in using it before and it was VERY fast.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:06:32 AM, on 9/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis\HijackThose.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.angelfire.com/wa3/potterhouse/uberpage.mht

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [CaISSDT] "D:\Program Files\eTrust\caissdt.exe"

O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://uk.games.myspace.com/gameshell/game...n/abcisland.cab

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe

--

End of file - 7671 bytes

Link to post
Share on other sites

  • Staff

Hi,

Yes HijackThis runs quickly.

Please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

efxrlnr

hkgiv

lxaipujx

File::

c:\windows\system32\drivers\xiuzw.sys

c:\windows\system32\drivers\uieprale.sys

c:\windows\system32\drivers\Iuat.sys

Folder::

C:\ComboHyphenFix

C:\NoJoke

C:\MiddleFingerCF

C:\LilBunnyCF

C:\Combo-Fix

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Again, I appreciate all the help, but I have already commited to formating and reinstalling. I like doing this every once in a while anyway and this is just a very good opportunity.

Hopefully you won't hear from me again. The only circumstance that I see myself posting again is if formating doesn't actually make a my machine totally clean (infected Bios or D drive or something).

Thanks agan.

Link to post
Share on other sites

  • Staff

Thanks for letting me know.

When you format, do make sure to install protection programs before connecting to the Internet. Then connect to the Internet, make sure the protection programs are updated, then run Windows Update.

Here is my standard prevention speech.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. ;)

All of the following are excellent free antiviruses. Be sure to only install one.

AVG

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.