Jump to content

Recommended Posts

Hello,

This morning I discovered my computer at work was infected with XP Anti-Spyware 2011. Thanks to this forum, I've managed to get about halfway through the removal process by following this thread:

http://forums.malwarebytes.org/index.php?showtopic=79312

I have gotten so far as to run ComboFix and produce a log. But in the next step, Kenny94 provides information that I assume he got from the OP's ComboFix log and says to use it to create a script that will then be merged with ComboFix. I'm positive that no two computer systems are identical so I'm pretty sure this script won't work for my computer and don't want to risk trying to figure out how he got it. If anyone could take a look at my own ComboFix log and take it from there, I'd really appreciate it! Thanks :)

My ComboFix log:

ComboFix 11-04-11.03 - colleen 04/12/2011 8:54.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2742 [GMT -4:00]

Running from: c:\documents and settings\colleen\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\colleen\Application Data\Island

c:\documents and settings\colleen\Application Data\Island\space.rgt

c:\documents and settings\colleen\Local Settings\Application Data\rnf.exe

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\drivers\npf.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Packet.dll

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\wpcap.dll

c:\windows\system32\WS2Fix.exe

c:\windows\Temp\_ex-68.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))

.

.

2011-04-12 10:53 . 2011-04-12 10:53 -------- d-----w- c:\documents and settings\colleen\Application Data\Camel101

2011-04-12 10:53 . 2011-04-12 10:53 -------- d-----w- c:\documents and settings\colleen\Application Data\GarageGames

2011-04-11 11:35 . 2011-04-11 11:35 -------- d-----w- c:\program files\Epic Escapes - Dark Seas

2011-04-08 12:00 . 2011-04-08 12:00 -------- d-----w- c:\program files\Amazing Adventures - The Forgotten Dynasty

2011-04-08 10:29 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BBAFB9EF-C9EA-4787-B0FB-74086AE34590}\mpengine.dll

2011-04-06 12:42 . 2011-04-06 12:42 -------- d-----w- c:\documents and settings\colleen\Application Data\TOMI3

2011-04-04 16:21 . 2011-04-04 16:21 -------- d-----w- c:\program files\Feeding Frenzy

2011-04-01 11:04 . 2011-04-01 11:04 -------- d-----w- c:\documents and settings\colleen\Application Data\HitPoint Studios

2011-03-31 16:34 . 2011-03-31 16:36 -------- d-----w- c:\program files\Dark Parables - The Exiled Prince

2011-03-29 18:16 . 2011-03-29 18:16 -------- d-----w- c:\documents and settings\colleen\Application Data\StoneLoopsBF

2011-03-29 14:19 . 2011-03-29 14:20 -------- d-----w- c:\program files\Maestro - Music of Death

2011-03-29 12:55 . 2011-03-29 12:55 -------- d-----w- c:\documents and settings\colleen\Application Data\DGform

2011-03-25 16:51 . 2011-03-25 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ScreenSeven

2011-03-23 15:14 . 2011-03-23 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella CE

2011-03-21 11:26 . 2011-03-21 11:27 -------- d-----w- c:\program files\Echoes of Sorrow

2011-03-14 11:25 . 2011-03-14 11:25 -------- d-----w- c:\documents and settings\colleen\Application Data\CursedOnboard

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-15 04:05 . 2009-09-09 18:14 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-03-11 12:30 . 2010-07-18 17:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-03-11 12:30 . 2010-07-18 17:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-03-03 11:57 . 2009-09-14 11:15 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-02-09 13:53 . 2008-04-14 10:42 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 10:41 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 22:11 . 2009-10-05 10:33 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-02-02 07:58 . 2009-09-09 17:23 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-09-09 17:23 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-04-14 10:42 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

.

------- Sigcheck -------

.

.

[-] 2009-05-19 . 0FA06B88A14820A0BE92AA45415AAA66 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

c:\windows\System32\wscntfy.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-18 2423752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]

"SetDefPrt"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 14:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 14:41 67656]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2010 12:20 135664]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 20:19 13592]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HTTPFILTER

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:20]

.

2011-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 16:20]

.

2011-04-11 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://aolsvc.aol.com/onlinegames/free-trial-fashion-dash/fashiondashweb.1.0.0.21.cab

DPF: {7D492D61-303A-45C3-8A55-63449339943D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-the-nightshift-code/NightShiftCodeWeb.1.0.0.5.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-winter-edition/zylomplayer.cab

DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles-2/dream2web.1.0.0.13.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-12 08:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Hitachi_ rev.V54O -> Harddisk0\DR0 -> \Device\Scsi\nvgts1

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A298EC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88db4872; SUB DWORD [EBP-0x4], 0x88db412e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A3D09C0]

3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000005b[0x8A378AC0]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A404A38]

[0x8A30F880] -> IRP_MJ_CREATE -> 0x8A298EC5

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Scsi\nvgts1Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&6727837&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,c5,4c,b0,65,31,88,4b,8b,1d,ae,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,c5,4c,b0,65,31,88,4b,8b,1d,ae,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(620)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(3344)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\Brother\Brmfcmon\BrMfcmon.exe

.

**************************************************************************

.

Completion time: 2011-04-12 09:03:49 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-12 13:03

.

Pre-Run: 298,540,019,712 bytes free

Post-Run: 299,480,379,392 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 68433EA273A146D465057D2E21760BF0

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Then grab a fresh copy of ComboFix, run it, and post its log.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.