Jump to content

XP Home Security not detected by Malwarebytes


Recommended Posts

My PC running XP is infected with the XP Home Security. At first Windows safe mode and Malwarebyes anti-malware update were disabled. I went into MS config and disabled some of the booting processes. This allowed me to enter into safe mode. I ran Malewarebytes anti-malware (MB-AM). 1 file was detected and removed from the H key registry. I restarted Windows and was able to update MB-AM. I reentered safe mode and ran MB-AM again and no files were detected. I found the post on your forum "Cannot remove XP Home Security Virus 2011" posted on April 9th 2011. I followed instructions and installed ATF-Cleaner per instructions on post and combo fix per instructions on post. I have a log file from combo fix and I need directions on what to do from here?

ComboFix 11-04-20.01 - Bethany Holder 04/20/2011 19:39:24.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2521 [GMT -5:00]

Running from: c:\documents and settings\b______ h_____\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\B_____ H_____\Local Settings\Application Data\qqh.exe

c:\documents and settings\B_____ H_____\WINDOWS

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\program files\SelectRebates

c:\program files\SelectRebates\SelectRebatesUninstall.exe

c:\program files\Shared

c:\windows\system32\Drivers\pewddfn.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))

.

.

2011-04-20 23:50 . 2011-04-20 23:50 184320 --sha-w- c:\windows\system32\us74d.dll

2011-04-20 23:50 . 2011-04-20 23:52 -------- d-----w- c:\program files\SpywareBlaster

2011-04-20 23:50 . 2010-01-11 00:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2011-04-20 23:50 . 2010-01-11 00:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2011-04-20 23:50 . 2011-04-20 23:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-04-20 23:27 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-04-20 23:27 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-04-20 23:27 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-04-20 23:27 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-04-20 23:27 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-04-20 23:15 . 2011-04-20 23:15 -------- d-----w- c:\documents and settings\Bethany Holder\Local Settings\Application Data\Threat Expert

2011-04-20 22:53 . 2011-04-20 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-04-20 10:28 . 2011-04-20 10:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-04-17 17:50 . 2011-04-17 17:50 388096 ----a-r- c:\documents and settings\Bethany Holder\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-04-17 17:50 . 2011-04-17 17:50 -------- d-----w- c:\program files\Trend Micro

2011-04-16 17:30 . 2011-04-16 17:30 -------- d-----w- c:\documents and settings\Bethany Holder\Application Data\Catalina Marketing Corp

2011-04-13 08:05 . 2011-04-13 08:05 -------- d-----w- c:\windows\ServicePackFiles

2011-04-10 18:41 . 2011-04-10 18:41 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-04-10 18:41 . 2011-04-10 18:41 -------- d-----w- c:\program files\Coupons

2011-04-02 20:18 . 2011-04-17 17:49 -------- d-----w- c:\documents and settings\Bethany Holder\Application Data\U3

2011-03-27 01:23 . 2011-03-27 01:23 -------- d-----w- c:\documents and settings\Bethany Holder\Application Data\Malwarebytes

2011-03-27 01:23 . 2011-03-27 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-03-27 01:23 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-27 01:23 . 2011-03-27 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-27 01:23 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 00:38 . 2011-03-27 00:38 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx

2011-03-07 05:33 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-04-25 16:16 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-04-25 16:16 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 13:18 . 2008-04-25 16:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2008-04-25 16:16 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-08-28 00:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-04-25 16:16 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25 . 2008-04-25 21:26 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53 . 2008-04-25 16:16 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2008-04-25 16:16 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2008-04-25 21:26 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-04-25 21:26 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-04-25 16:16 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

.

------- Sigcheck -------

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-16 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-21 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-08 150040]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]

"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-08-21 12:12 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 136176]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-14 141792]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]

R3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-04-03 1656960]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 55840]

R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2010-10-14 88544]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 84264]

S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-14 84072]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-04-03 113024]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 313288]

S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2010-10-14 88544]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2009-02-27 160256]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 22:46]

.

2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-16 22:46]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

.

.

------- File Associations -------

.

exefile="c:\documents and settings\B_____ H_____\Local Settings\Application Data\qqh.exe" -a "%1" %*

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe

SafeBoot-Wdf01000.sys

AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-20 19:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1416)

c:\windows\system32\WININET.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

c:\windows\System32\BCMLogon.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

.

- - - - - - - > 'lsass.exe'(1476)

c:\windows\system32\WININET.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WgaTray.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\drivers\audio\r215959\STacSV.exe

.

**************************************************************************

.

Completion time: 2011-04-20 19:54:53 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-21 00:54

.

Pre-Run: 219,224,727,552 bytes free

Post-Run: 219,346,567,168 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - ADBEAD13512341A2CD3870A538536D26

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

You might have a Back Door infection.

Please post a new Combofix scan

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.