Jump to content

MBAM and HiJackThis Won't Run


psjcane

Recommended Posts

ComboFix 09-09-27.05 - Tommy 09/28/2009 14:43.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.142 [GMT -4:00]

Running from: c:\documents and settings\Tommy\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\50845e9.msi

c:\windows\run.log

c:\windows\system32\drivers\gasfkyjcerlbqj.sys

c:\windows\system32\drivers\gasfkyovhxyqml.sys

c:\windows\system32\gasfkytpdvbvdp.dll

c:\windows\system32\xa.tmp

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 17:43 . 2009-09-28 17:43 -------- d-----w- c:\program files\Trend Micro

2009-09-28 15:00 . 2009-09-28 18:26 0 ----a-r- c:\windows\win32k.sys

2009-09-28 15:00 . 2009-09-28 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 15:00 . 2009-09-28 15:00 -------- d-----w- c:\program files\eBay Desktop

2009-09-28 14:29 . 2009-09-28 14:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-25 20:46 . 2009-09-25 20:46 0 ----a-w- c:\windows\nsreg.dat

2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\documents and settings\Tommy\Local Settings\Application Data\Mozilla

2009-09-25 20:46 . 2009-09-28 15:00 -------- d-----w- c:\program files\Mozilla Firefox(2)

2009-09-25 20:46 . 2009-09-28 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2009-09-25 14:17 . 2009-09-25 14:17 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-25 13:16 . 2009-09-25 20:23 -------- d-----w- c:\documents and settings\Tommy\Application Data\vlc

2009-09-25 13:10 . 2009-09-25 13:10 -------- d-----w- c:\program files\VideoLAN

2009-09-21 18:17 . 2009-09-21 18:18 -------- d-----w- C:\DECCHECK

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-28 14:46 . 2008-08-19 12:51 -------- d-----w- c:\program files\McAfee

2009-09-25 14:16 . 2007-12-14 16:40 -------- d-----w- c:\program files\Java

2009-09-24 18:40 . 2007-12-14 17:00 -------- d-----w- c:\program files\DivX

2009-09-24 15:34 . 2008-01-15 13:16 -------- d-----w- c:\documents and settings\Tommy\Application Data\DivX

2009-09-10 18:54 . 2008-08-19 12:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2008-08-19 12:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 07:03 . 2009-06-24 11:08 -------- d-----w- c:\program files\Wise Registry Cleaner

2009-08-06 20:54 . 2008-10-02 20:03 -------- d-----w- c:\documents and settings\Tommy\Application Data\HPAppData

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 06:18 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-25 149280]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

Wireless PCI Card Configuration Utility.lnk - c:\program files\Linksys\WMP11 Config Utility\WMP11CFG.exe [2007-12-14 4513280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]

path=c:\documents and settings\Tommy\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk

backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [12/14/2007 2:29 PM 171776]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2009 9:40 AM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 13:40]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 13:40]

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-19 15:53]

2009-09-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-19 15:53]

2009-09-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {30985566-E01F-11D2-85DB-EA44DE000000} - hxxp://www2.callsunshine.com/irthinternet/IrthInternetLibrary/IRTHMapDisplay.cab

FF - ProfilePath - c:\documents and settings\Tommy\Application Data\Mozilla\Firefox\Profiles\07c9oxrf.default\

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk

SafeBoot-mferkdk

SafeBoot-mfetdik

SafeBoot-mfetdik.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 14:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MSK\msksrver.exe

c:\windows\system32\nvsvc32.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\progra~1\McAfee\MSC\mcshell.exe

.

**************************************************************************

.

Completion time: 2009-09-28 14:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 18:54

Pre-Run: 259,376,017,408 bytes free

Post-Run: 262,029,357,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

201 --- E O F --- 2009-09-11 07:01

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Okay, well since it looks like you have moved on I'll go ahead and close this post now.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.