Jump to content

Malwarebytes and GMER both terminate unexpectedly, running slow


Recommended Posts

Hi!

System is a P4 running WinXP Pro SP2 on an Intel motherboard.

I believe I've followed the directions to a "T" and will attach the files that I was able to produce.

Malwarebytes installed, updated and began its run, then terminated within 5 seconds or so. I see no logs folder under "C:\Program Files\Malwarebytes' Anti-Malware". I saw no detections from Malwarebytes before it terminated. Defogger ran without issue--I don't think I use any CD Emulation software anyway. GMER also terminated within 15 seconds or so-- so no log from GMER either. As for GMER, I believe I saw a "suspicious item" entry on the screen as it was progressing, but none of this was preserved. The GMER program will not run a second time... a popup appears saying I don't have permission to access the item.

Just a point of clarification on the GMER run... all the machine displayed was a C: drive within that box on the right, and I was supposed to leave that checked, correct? I did have the IAT/EAT and Showall boxes unticked.

I seem to have the system at a somewhat stable restore point (Sept 28) where I can at least launch IE v8 and download files and run them (albeit once for GMER and Malwarebytes). Prior to me stepping back to the Sept 28 restore point I was really hosed, most everything would hang, fail, etc.

I was seeing a popup window in IE directed to kevinsmoneytree.org earlier, if that's of any help.

Also, earlier in the troubleshooting process, I did D/L and attempt to run a combofix.exe, but that hung as well with no checkpoints being displayed after 14 hours.. so I had to reset the PC. I'm assuming that had crashed as well.

The PC normally lives on a Win SBS2003 server network, but it's presently detached from it and I'm logging in to the local PC using the Administrator user account. I'd love to get the puppy upgraded to XPPRO SP3 and then dump McAfee and install MSFT's Security Essentials, which my experience has shown to be a great product on other puters. But I surely didn't want to attempt a SP3 upgrade with an ongoing virus/malware issue fearing that if it failed during the upgrade I'd be left with a real can of worms.

I've removed a bunch of viruses in my day, but whatever this bugger is sure has me stumped.

Any help you guys/girls can offer will be greatly appreciated. I'll most likely buy the full Pro product to prevent further reoccurances.

I'm pasting in the DDS.TXT below, and my attach.zip has only the attach.txt due to GMER not producing a ARK.TXT before it terminated.

Thanks in advance for any/all assistance!

Larry

DDS.TXT file here:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 19:13:36 on 2011-10-09

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1397 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\2672749113:3323310432.exe

svchost.exe

C:\WINDOWS\csasvc.exe

C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe

C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110830145053.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [smapp] c:\program files\analog devices\soundmax\Smtray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"

mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxps://businessonline.1stsource.com/viewer/activeXViewer/activexviewer.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: Interfaces\{6945D9DE-E20C-46A9-A9C4-A1E9D8C90F7C} : NameServer = 192.168.1.100,192.168.1.1

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\netexc~1.0\FlowHook.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-9-6 38920]

R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-9-6 42376]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480]

R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-9-6 16008]

R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-9-6 184072]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200]

R2 CSAPrintService;Creative Solutions Accounting Print Service;c:\windows\csasvc.exe [2005-4-20 118784]

R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo backup\bin\Agent.exe [2011-9-6 60040]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-2 94880]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-3 41272]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488]

.

=============== Created Last 30 ================

.

2011-10-09 23:56:44 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-09 23:56:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-09 23:47:39 709968 ----a-w- c:\windows\isRS-000.tmp

2011-10-09 23:33:30 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-09 23:33:30 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-09 21:29:53 -------- d-----w- c:\documents and settings\administrator\application data\QuickScan

2011-10-08 23:53:06 -------- d-----w- C:\cmdcons

2011-10-08 23:48:17 -------- d-----w- C:\ComboFix

2011-10-08 21:41:32 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-10-08 19:56:32 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-10-08 19:48:13 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2011-10-07 16:35:20 -------- d-----w- c:\program files\TeamViewer

.

==================== Find3M ====================

.

2011-10-09 23:57:19 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-07 17:47:18 313344 --sha-w- C:\EUMONBMP.SYS

2011-08-30 19:05:11 4194304 ----a-w- c:\windows\system32\lmquoztc.dll

2011-08-06 05:52:44 20616 ----a-w- c:\windows\system32\fbnative.exe

2011-08-06 05:52:38 184072 ----a-w- c:\windows\system32\drivers\EuFdDisk.sys

2011-08-06 05:52:36 42376 ----a-w- c:\windows\system32\drivers\EUBKMON.sys

2011-08-06 05:52:30 16008 ----a-w- c:\windows\system32\drivers\eudskacs.sys

2011-08-06 05:52:28 38920 ----a-w- c:\windows\system32\drivers\eubakup.sys

.

============= FINISH: 19:16:21.51 ===============

attach.zip

Link to post
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi.. sorry to keep you waiting but here's an interim status update:

I ran TDSSKiller and it found two items, and I first quarantined them since I wasn't sure what to do with the results. It didn't ask for a reboot but did quarantine successfully. Then I tried to run MBAM-- still denied access. I uninstalled it and rebooted and came back in and first re-ran TDSSKiller and it found the two items again. So this time I deleted them. It called for a reboot. I reran it a 3rd time and it came up clean!

Next, I uninstalled MBAM and re-installed it from the installer I had previously downloaded. It gave an error on not being able to update but it still loaded so I ran it with the 39 day old definitions. It took about 30 minutes for the quickscan, but it found do infections!

Only problem now is something has blown away the internet connection on the PC (I'm writing this from a different PC) because IE can't get to it's home page. I've checked -- no proxy created under Lan settings of Internet options.

I can't repair the connection though... and I've got no IP address in the LAN Status. Wierd.

While I troubleshoot this further, should I transfer the TDSS and MBAN logs from the infected puter to this one in order to attach em so you can look at them?

Sorry for the delay.. I wasn't sure if one person continues to work on my account or if it gets handed off? I didn't want to keep you waiting or chance missing you....

Give me a quick reply if you want the logs right away... oh, heck.. I'll transfer em quick now..... standby.. they'll be in my next post.

Link to post
Share on other sites

OK.. I've attached the two logs files to this post.

Any ideas on why my internet connection is blown away on the PC in question? Status says "connected" for 23 minutes now, but there's 0 packets sent and received. TCP/IP properties look fine...

mbam-log-2011-10-09 (21-30-12).txt

TDSSKiller.2.6.6.0_09.10.2011_20.46.09_log.txt

Link to post
Share on other sites

  • Staff

Hi,

The infection is breaking Internet connections.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

OK.. got thru the combofix after downloading it to another computer and then transferring it to the desktop of the sick one.

It did present some issues...

I read the instructions about turning off virus scanning... the Mcafee Security Center (by AT&T) didn't follow the forum instructions and I could see no way to turn it off... so I deleted it via add/remove prgms and then rebooted when it finished and called for the reboot. It was no longer in system tray when I restarted. However, when ComboFix started it indicated it saw an active McAfee product running, but I continued anyway.

Also, ComboFix wanted to install the recovery console, but again, my internet connection is blown on the sick puter, so that wasn't possible either.

ComboFix did detect a rootkit and while I was bringing up a notepad screen on another computer to write down the specifics, the on-screen notice was replaced by something else. I don't see the wording of it in the combi report. I do recall some wording in the popup notice calling it "zero" something and it affecting the tcp/ip stack and also about it being a "difficult" rootkit...... sigh... sorry I didn't catch the exact words in time.

During the combo report generation, "updates are ready for your computer" popped up in the system tray... so I was thinking "YaY!!! internet is fixed" but now I'm thinking that that was because combofix was doing something with system update removal/revision? I checked the IP connection afterwards and it still can't query it and shows no IP addy.

Lastly, another symptom I noticed just now:

Start, Run, Command brings up an error in a box titled "16 bit MS-DOS Subsystem"

------------------------------------------------------------

C:\windows\system32\command.com

c:\progra_1\\symantec\s32evnt1.dll. An installable Virtual Device Driver failed DLL initialization. Choose "Close" to terminate the application.

------------------------------------------------------------

It offers both a "close" and "ignore" button. When I hit ignore, a 2nd occurance of the error appears, then a 2nd ignore and I get the command.com box and am able to execute a command, such as DIR in it and it works...

Finally, I've attached the two reports you asked for.. hope it helps!!!

Thanks again for your time and input!

Larry

combofix_log.txt

dds_after_combofix.txt

Link to post
Share on other sites

Hi,

I'm curious about the arrangement with these cases... is a case assigned to a particular tech and he/she sees it thru until the end? Since Screen317 has been the only person I've been communicating with, so am I to assume Screen317 is assigned to my case?

If this is correct, and since I realize a particular person doesn't work 24/7, am I in the care of a person that works nights only, or do you folks do things by committee and others may be looking at my posts?

Just curious about the schedule.. there's a few more things I'd like to try with the sick PC but I'm waiting to hear back after the last logs I sent.

Again, and I've said this before, I'm deeply grateful for the help I'm receiving! This note is merely to try to learn a bit about the mechanics of dealing with the helpers on this forum.

I'd be curious to learn what it takes to become a helper myself.

Thanks again... and ready for the next direction you may have to offer.

Larry

Link to post
Share on other sites

I've already re-installed the motherboard's drivers from the CD that came with the motherboard (Intel's chipset, audio, graphics, lan drivers and application accelerator) in an attempt to get the network card working. No luck. Still getting the same message referenced above when trying to status the network connection and the NIC isn't being awarded any IP info.

I've also performed multiple attempts at deleting the network card, rebooting, letting it get re-discovered, deleting stack components, etc.... all in the hopes of resolving the networking issue.

Next, I'd love to attempt a CD based upgrade from SP2 to Win XP SP3 which I've downloaded from another computer and burned onto a CD. I just didn't want to do this before you guys commented on the prior logs sent in during the wee hours of this morning.

Will it hurt things for me to attempt to install XP SP3? I need it to be at SP3 in order to load my preferred anti-virus.... Microsoft's Security Essentials. And, of course, I'm hoping that the SP3 upgrade magically fixes my network issue.

Any one of the advisors able to answer this?

Thanks,

Larry

Link to post
Share on other sites

As a follow on to the earlier problems, now that I have my internet connection back, I went ahead and updated MBAM to the most recent rules.

Prior to this, MBAM had run full scans and was clean of all infection using rules as manually updated yesterday over the top of the August rules that appear in the installer. But now that I have my internet connection back MBAM is updated with the latest rules (v7925 dated 10/11/2011) and it did detect a trojan on it's scan. I removed it with the removal button and see it in my mbam quarantine.

I'm going to start another full scan after this post in order to confirm it's gone and all is clean. But, in the interim, here's the mbam log results:



Malwarebytes' Anti-Malware 1.51.2.1300
[url="http://www.malwarebytes.org"]www.malwarebytes.org[/url]

Database version: 7925

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/11/2011 7:08:54 PM
mbam-log-2011-10-11 (19-08-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 315602
Time elapsed: 1 hour(s), 23 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\michelle\application data\Sun\Java\deployment\cache\6.0\18\506cd812-73e44f70 (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

I've also attached the log result file as well.

A sidelight of this issue is that either today's rules were needed to pick up this trojan since yesterday's manually updated rules missed it, or the manual update process for the rules does not effectively work and I was still running the August rules.

I pointed out to an administrator that the program still showed the August rules after the manual update process was done (copying in a new set of rules.ref from another computer that had a good internet connection and could successfully update the rules). I was told that this is normal behavior of the application when manually updated.

mbam-log-2011-10-11 (19-07-53).txt

Link to post
Share on other sites

  • Root Admin

Hello Larry,

Not sure what happened to Chris so I'll go ahead and take over for now.

Do you have any missing files or shortcuts in the menu ?

STEP 01

Please download and run the following tool unhide.exe to help with hidden programs on your system.

STEP 02

Please delete your current copy of Combofix and download a new fresh copy and run it (with your AV disabled) and post back the new log as well as letting me know about any missing files or shortcuts you may have.

Combofix download

Link to post
Share on other sites

OK... here we go...

BTW.. I got a 100% clean full scan result after MBAM removed that Trojan mentioned above. So that's all cool now... results included below.

I'm not noticing anything missing in the icon dept... and UnHide completed successfully.

And lastly, the ComboFix results posted below too... ran after performing a start/run combofix /uninstall and then downloading and running a new copy.

I'm still not running any anti-virus cuz I'm waiting on the SP3 update... For a while I had the gold shield showing saying updates were waiting, but I think this appeared from the removal of some of the infected stuff. The shield isn't there now and I never did accept or apply any updates. And my Automatic Updates status is all greyed out... that's a bit odd.. is that cuz its still SP2 and Msft isn't supporting that version anymore with auto updates?

Lar

mbam-log-2011-10-11 (20-45-07).txt

combofix_log_2.txt

Link to post
Share on other sites

  • Root Admin

Well the scanner sure thinks you have Anti-Virus installed and running

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

STEP 01

Please download Javara and run it to fully remove all version of Java.

When done we can install the latest version again.

STEP 02

Do you have any Symantec products installed that are using the Live Update service? This is pretty old and without Symantec products of no value

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

STEP 03

Removing McAfee Automatically

Removing incompatible third-party applications (2008)

Summary: Some third-party applications are incompatible with 2008 McAfee software. This article explains how to remove programs using Windows standard program removal tools and provides links to remove specific applications.

McAfee has created an automatic removal program to remove the following software products when the normal removal methods fail. It does not work with Windows 98 or Windows ME. The removal tool deletes all traces of the following products in Windows 2000 Pro, Windows XP Home and Professional, and Windows Vista.

  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware

Follow these directions to download the McAfee Removal Tool and run it to remove the above programs.

  1. Click on the following link to download the MCPR removal tool
    McAfee MCPR.exe
  2. Click Save and save the file to your desktop
  3. Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool. Windows Vista users will have to right-click on the file and select "Run as Administrator"
  4. After the removal tool finishes, you should be prompted to restart your computer.
  5. Once the computer restarts, your McAfee product should be uninstalled.
  6. If for any reason there appears a red X during the uninstall, go to the following location for more advanced uninstall instructions involving the registry.
    McAfee Document ID: TS100507
  7. If you're still having issues removing McAfee software please check out their support forum

Extra Optional Steps

  1. Open My Computer, double-click on Drive C
  2. Double-click on Program Files
  3. Look for any McAfee product folders that remain. Right-click on them and choose Delete
  4. Close My Computer and other folders

STEP 04

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

STEP 05

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


RegLock::
[HKEY_USERS\S-1-5-21-299502267-1645522239-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

  • Root Admin

If you're not running any Symantec/Norton then you can use this tool to clean up after it.

Download and run the Norton Removal Tool to uninstall your Norton product

After you have remove the Java, McAfee, and Norton and run the other items and rebooted then run the following cleanup tool.

Please use TFC to clear temporary files:

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

Link to post
Share on other sites

1: Java's out

2: I think LiveUpdate used to be from PCAnywhere.. no longer used.. ran the Norton removal tool

3: Ran MCPR to get Mcafee remnants out.. prolly left there from a botched uninstall while the rootkit was active

3a: I see no Mcafee stuff under prog_files or c:\

Rebooting at this point since called for my Mcafee uninstall.. will come back and continue with step 4...

ps.. you didn't want the java log did you?

Link to post
Share on other sites

  • Root Admin

Great...

STEP 01

Open a Command Prompt window and type NETSH FIREWALL RESET

STEP 02

Well Java is still there it seems

Please open Regedit and browse to this location and delete the SunJavaUpdateSched entry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Then reboot once again and delete this folder

c:\program files\Java

STEP 03

We should be pretty much all set now. Please go to the Windows update site and check for updates and install ALL security updates.

After finishing the Windows updates make sure you install an Anti-Virus (Microsoft Security Essentials or one of your choice) and update it and scan your system with it.

STEP 04

When all Windows updates are done then

Please do the following:

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

I'm probably going to be dropping off here soon so I'll check back with you tomorrow and see how things went.

Link to post
Share on other sites

back once again...

6: TFC ran and cleaned up 112 MB of crapola... I'll keep that around to run before backups!

7: and the DDS run... attaching the two files below...

items still on my list:

xp sp3

Msft MSE

turn on windows firewall ?

I have gold shield with updates appearing again

dds_after_cleaning.txt

attach_after_cleaning.txt

Link to post
Share on other sites

ok.. thanks mucho, once again, for all your time and effort!!!

1: did the NETSH FIREWALL RESET

2: nuked the registry entry

3: gotta close browser to remove java 16... so sending this first.... brb

Link to post
Share on other sites

ok.. java17 removed via add/remove and then followed up and saw c:\prog_files\java still present... tried to delete... there was still a file under a subfolder that was locked...

went on to add/remove AT&T yahoo apps (something we used to use for DSL acct) and found it had not only the toolbar but Norton AV entries as well.. so nuked all of that via add/remove, which then called for another reboot.

Coming back from reboot and now able to delete the ..\java folders.. cool

Going after the Windows updates now.... I'll send this since I'll prolly be asked to reboot again....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.