Jump to content

Can't run .exe files


Recommended Posts

Hi,

Looks like I got a Trojan. I followed the instruction from the "I'm infected" thread. I hope this is everything needed to get a bit of help with this nasty infection. Two notables worth mentioning, The only way to get Malwarebytes or any of the tools to run was in safemode, and I could not stop AVG before running Combofix, but I still ran it.

Thanx,

Dan

--

Here are my 5 log files:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7378

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

8/4/2011 5:33:12 PM

mbam-log-2011-08-04 (17-33-12).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 342230

Time elapsed: 36 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

End of File=====================================================================

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:55:43 PM, on 8/4/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealOne Player\update\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1ca35652e6c81b4) (gupdate1ca35652e6c81b4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--

End of file - 6740 bytes

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-08-04 22:38:12

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200AB-22DYA0 rev.15.05R15

Running: 52n3qtnl.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwldapod.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

.

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 17:54:57 on 2011-08-04

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.800 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

mSearch Bar = hxxp://srch-us8.hpwis.com/

uInternet Settings,ProxyOverride = 127.0.0.1

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [nwiz] nwiz.exe /install

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [iomega Automatic Backup 1.0.1] c:\program files\iomega\iomega automatic backup\ibackup.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [TkBellExe] "c:\program files\real\realone player\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab

TCP: DhcpNameServer = 192.168.0.2

TCP: Interfaces\{D3A820ED-D558-4786-8DBE-7E3912C84D2E} : DhcpNameServer = 192.168.0.2

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxsrvc.dll

Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]

S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

S2 gupdate1ca35652e6c81b4;Google Update Service (gupdate1ca35652e6c81b4);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-18 724152]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-18 724152]

S2 mrtRate;mrtRate; [x]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]

S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-17 1251720]

.

=============== File Associations ===============

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2011-08-04 20:51:04 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe

2011-08-04 20:05:01 6144 ----a-w- c:\windows\~DFA26A.tmp

2011-08-04 19:15:16 6144 ----a-w- c:\windows\~DF2CD9.tmp

2011-08-04 19:14:30 6144 ----a-w- c:\windows\~DF8962.tmp

2011-08-04 18:56:08 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-08-04 18:56:00 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-04 18:55:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-04 18:55:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-04 18:34:59 6144 ----a-w- c:\windows\~DF314.tmp

2011-08-04 18:19:07 -------- d-----w- c:\windows\Favorites

2011-08-04 18:19:07 -------- d-----w- c:\windows\Desktop

2011-08-04 17:45:24 -------- d-----w- C:\My Documents

2011-08-04 17:44:53 -------- d-----w- c:\windows\Application Data

2011-08-04 17:42:48 6144 ----a-w- c:\windows\~DF49CD.tmp

2011-08-03 14:36:01 6144 ----a-w- c:\windows\~DFFB58.tmp

2011-08-03 02:29:30 -------- d-----w- C:\iolo

2011-08-03 02:00:31 6144 ----a-w- c:\windows\~DF5C12.tmp

.

==================== Find3M ====================

.

2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys

.

============= FINISH: 17:55:28.32 ===============

ComboFix 11-08-04.01 - Administrator 08/04/2011 23:42:28.1.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.703 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

c:\documents and settings\Children\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Eugene Delgaudio #2\WINDOWS

c:\documents and settings\Sheila\g2mdlhlpx.exe

c:\documents and settings\Sheila\My Documents\~WRL0380.tmp

c:\documents and settings\Sheila\My Documents\~WRL1275.tmp

c:\documents and settings\Sheila\My Documents\~WRL2449.tmp

c:\documents and settings\Sheila\Templates\wjivoi204s35u41be1v6y10px31lt82c0isxgsv17

c:\documents and settings\Sheila\WINDOWS

c:\program files\messenger\msmsgsin.exe

c:\program files\Shared

c:\windows\desktop

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\ps2.bat

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))

.

.

2011-08-05 03:31 . 2011-08-05 03:31 114688 ----a-w- c:\windows\~DF1AF2.tmp

2011-08-05 03:07 . 2011-08-05 03:07 -------- d-----w- C:\Malwarebytes

2011-08-04 20:05 . 2011-08-04 20:05 6144 ----a-w- c:\windows\~DFA26A.tmp

2011-08-04 19:15 . 2011-08-04 19:15 6144 ----a-w- c:\windows\~DF2CD9.tmp

2011-08-04 19:14 . 2011-08-04 19:14 6144 ----a-w- c:\windows\~DF8962.tmp

2011-08-04 18:56 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-04 18:55 . 2011-08-04 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-04 18:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-04 18:54 . 2011-08-05 03:50 -------- d-----w- c:\documents and settings\Administrator

2011-08-04 18:34 . 2011-08-04 18:35 6144 ----a-w- c:\windows\~DF314.tmp

2011-08-04 18:19 . 2011-08-04 18:19 -------- d-----w- c:\windows\Favorites

2011-08-04 17:59 . 2011-08-04 17:59 -------- d-----w- c:\documents and settings\Sheila\is-7GDSB.tmp

2011-08-04 17:45 . 2011-08-04 17:45 -------- d-----w- C:\My Documents

2011-08-04 17:44 . 2011-08-04 17:44 -------- d-----w- c:\windows\Application Data

2011-08-04 17:42 . 2011-08-04 18:02 6144 ----a-w- c:\windows\~DF49CD.tmp

2011-08-03 14:36 . 2011-08-03 14:36 6144 ----a-w- c:\windows\~DFFB58.tmp

2011-08-03 02:29 . 2011-08-03 02:29 -------- d-----w- C:\iolo

2011-08-03 02:00 . 2011-08-03 02:00 6144 ----a-w- c:\windows\~DF5C12.tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-02 14:02 . 2003-06-05 00:12 1858944 ------w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-05-30 15:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIEW"="nview.dll" [2003-05-02 835654]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 69632]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"nwiz"="nwiz.exe" [2003-05-02 323584]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]

"TkBellExe"="c:\program files\Real\RealOne Player\update\realsched.exe" [2011-01-03 274608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2003-03-31 86016]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 5:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 297168]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 248656]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]

S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]

S2 gupdate1ca35652e6c81b4;Google Update Service (gupdate1ca35652e6c81b4);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 1:59 PM 133104]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/18/2010 12:08 AM 724152]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/18/2010 12:08 AM 724152]

S2 mrtRate;mrtRate; [x]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 5:18 PM 1025352]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 10:42 PM 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 10:42 PM 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 10:42 PM 27216]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 1:59 PM 133104]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]

.

2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 17:59]

.

2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 17:59]

.

2011-08-04 c:\windows\Tasks\Malwarebytes' Anti-Malware scan.job

- c:\progra~1\MALWAR~1\mbam.exe [2011-08-04 23:52]

.

2011-08-04 c:\windows\Tasks\Malwarebytes' Anti-Malware.job

- c:\progra~1\MALWAR~1\mbam.exe [2011-08-04 23:52]

.

2011-08-04 c:\windows\Tasks\mbam-setup.job

- K:\mbam-setup.exe [2011-08-04 00:05]

.

2011-08-05 c:\windows\Tasks\User_Feed_Synchronization-{648CB0C4-031B-4062-8003-AF30C587015B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

mSearch Bar = hxxp://srch-us8.hpwis.com/

uInternet Settings,ProxyOverride = 127.0.0.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-WinFax - c:\program files\WinFax\WFXUNIST.ISU

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 23:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(352)

c:\program files\Softex\OmniPass\opxpgina.dll

.

Completion time: 2011-08-04 23:54:37

ComboFix-quarantined-files.txt 2011-08-05 03:54

.

Pre-Run: 62,187,483,136 bytes free

Post-Run: 62,241,116,160 bytes free

.

- - End Of File - - 5894E4C071B4DEF33AB6BDFC831EF144

Link to post
Share on other sites

After further investigation of some of the older MB logs I found that Wednesday's log reported finding the Trojan.FakeAlert. AVG showed the Generic23.CKZH Trojan.

Here is the Malwarebytes Log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7378

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

8/4/2011 4:01:24 PM

mbam-log-2011-08-04 (16-01-24).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 342129

Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Sheila\Local Settings\Application Data\ibi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Sheila\local settings\Temp\jar_cache31399.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\Sheila\local settings\Temp\jar_cache31400.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here is the AVG log:

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please download exeHelper from one of these two places:

http://www.raktor.net/exeHelper/exeHelper.com

http://www.raktor.net/exeHelper/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

Reboot and describe the issues you are currently experiencing, in detail.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.