Jump to content

Recommended Posts

Hello, I have followed through with all of the steps that were instructed on this post:

http://forums.malwarebytes.org/index.php?showtopic=77282

but the thread is closed so I had to start a new one. I left off where the instructions said to post my results from combofix. Here they are:

ComboFix 11-05-16.02 - Chris 05/16/2011 21:55:00.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.226 [GMT -4:00]

Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1351 [VPS 100930-1] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\program files\SelectRebates

c:\program files\SelectRebates\SelectRebates.ini

C:\readme.txt

C:\setup.exe

.

c:\windows\system32\kernel32.dll . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))

.

.

2011-05-17 01:03 . 2010-07-16 18:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-05-17 01:03 . 2010-07-16 18:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-05-17 01:03 . 2010-11-17 14:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-05-17 01:03 . 2010-11-25 14:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-05-17 01:03 . 2010-11-25 14:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-05-17 01:02 . 2010-11-25 14:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-05-17 01:02 . 2011-05-17 01:02 -------- d-----w- c:\program files\Common Files\PC Tools

2011-05-17 01:02 . 2011-05-17 01:03 -------- d-----w- c:\program files\PC Tools Security

2011-05-17 01:02 . 2011-05-17 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-05-17 00:37 . 2011-05-17 00:37 -------- d-----w- c:\documents and settings\Administrator

2011-05-11 20:01 . 2011-05-11 20:01 -------- d-----w- C:\9830702501e510cf91

2011-05-11 20:00 . 2011-05-11 20:00 -------- d-----w- C:\bde762b12b9974af9ab3ed649605

2011-05-01 20:10 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-05-01 20:10 . 2001-08-17 17:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys

2011-04-20 16:39 . 2011-04-20 16:40 -------- d-----w- C:\373ddb4511b2fa8b32786cc51ce346cf

2011-04-20 16:18 . 2011-04-20 16:19 -------- d-----w- C:\5443e382498bcb248eeb19cc27

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2009-02-14 19:15 692736 ------w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2003-07-16 20:49 434176 ------w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2003-07-16 20:51 1857920 ------w- c:\windows\system32\win32k.sys

2011-02-27 15:00 . 2010-05-23 02:22 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-02-17 13:51 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2011-02-17 13:51 . 2003-07-16 20:51 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2003-07-16 20:47 61952 ------w- c:\windows\system32\tdc.ocx

2011-02-17 13:18 . 2003-07-16 20:34 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2003-07-16 20:46 357888 ------w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-04-15 16:14 5120 ----a-w- c:\windows\system32\xpsp4res.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442AE524-EBA5-4b17-82F3-888D68BC999A}]

2009-11-24 19:27 252416 ----a-w- c:\program files\oovootb\auxi\oovooAu.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]

2009-11-24 21:35 87512 ----a-w- c:\program files\oovootb\oovoodx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-11-24 87512]

.

[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-20 198160]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"lxdqmon.exe"="c:\program files\Lexmark Z2400 Series\lxdqmon.exe" [2010-02-04 672424]

"EzPrint"="c:\program files\Lexmark Z2400 Series\ezprint.exe" [2010-02-04 107176]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

"ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2010-12-01 1589208]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^desktop.ini]

path=c:\documents and settings\Chris\Start Menu\Programs\Startup\desktop.ini

backup=c:\windows\pss\desktop.iniStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\dlbucoms.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\ooVoo\\ooVoo.exe"=

"c:\\WINDOWS\\system32\\lxdqcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqtime.exe"=

"c:\\Program Files\\Lexmark Z2400 Series\\lxdqmon.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqjswx.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqwbgw.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:ooVoo TCP port 443

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

.

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]

S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]

S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-08-17 20560]

S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2007-11-28 589824]

S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\qglabz1u.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

AddRemove-eMagStudio - c:\documents and settings\Nicholas Peter\My Documents\Uninstall_eMagStudio\Uninstall eMagStudio.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-16 22:07

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(884)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\dlbucoms.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\spool\DRIVERS\W32X86\3\lxdqserv.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\FinePixViewer\QuickDCF2.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\SoftwareDistribution\Download\Install\SQLServer2005ExpressSP4-KB2463332-x86-ENU.exe

c:\e79ef8c4cb2edd0d536443f6894fa580\hotfix.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

c:\e79ef8c4cb2edd0d536443f6894fa580\HotFixExpress\Files\SQLEXPR.EXE

c:\49ef9f82c23fad718650\setup.exe

c:\windows\system32\msiexec.exe

c:\program files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe

c:\windows\System32\msdtc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\MsiExec.exe

.

**************************************************************************

.

Completion time: 2011-05-16 22:38:00 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-17 02:37

.

Pre-Run: 23,158,923,264 bytes free

Post-Run: 23,184,781,312 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - C1B9E236116B94C456CBA8D1A7903629

If anybody can decipher this and tell me what to do so I can remove the XP Security 2011 Virus it would be greatly appreciated!!

Thanks again!!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.