bdca13 Posted October 31, 2011 ID:490362 Share Posted October 31, 2011 Had same exact issue. I was actually able to fix this using only the infected computer, and it seems to have worked. First, I went in to the control panel and Administrative Tools and then Services, and noticed that DHCP service wasn't started, so I started it, and I had internet. I had to go into my browser's preferences and turn off the Proxy server that had turned on.Found this blog, downloaded the ComboFix.exe software from the link above, and let it run. HERE'S THE LOG. I'm able to run Malwarebytes again, so I'm hoping I got rid of the problem, but am going to run multiple scanners just to be sure.ComboFix 11-10-30.03 - Tech 10/31/2011 0:37.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.167 [GMT -7:00]Running from: c:\documents and settings\Tech\Desktop\ComboFix.exe * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\Administrator\WINDOWSc:\documents and settings\Default User\WINDOWSc:\documents and settings\Owner.salstation\My Documents\~WRD0000.tmpc:\documents and settings\Owner.salstation\My Documents\~WRL3053.tmpc:\documents and settings\Owner.salstation\My Documents\~WRL3708.tmpc:\documents and settings\Owner.salstation\WINDOWSc:\documents and settings\Tech\WINDOWSc:\windows\$NtUninstallKB63881$\2203856554c:\windows\$NtUninstallKB63881$\580003044\@c:\windows\$NtUninstallKB63881$\580003044\bckfg.tmpc:\windows\$NtUninstallKB63881$\580003044\cfg.inic:\windows\$NtUninstallKB63881$\580003044\Desktop.inic:\windows\$NtUninstallKB63881$\580003044\keywordsc:\windows\$NtUninstallKB63881$\580003044\kwrd.dllc:\windows\$NtUninstallKB63881$\580003044\L\dmaarltvc:\windows\$NtUninstallKB63881$\580003044\lsflt7.verc:\windows\$NtUninstallKB63881$\580003044\U\00000001.@c:\windows\$NtUninstallKB63881$\580003044\U\00000002.@c:\windows\$NtUninstallKB63881$\580003044\U\80000000.@c:\windows\$NtUninstallKB63881$\580003044\U\80000032.@c:\windows\kb913800.exec:\windows\system32\config\systemprofile\WINDOWSD:\Autorun.infc:\windows\$NtUninstallKB63881$ . . . . Failed to delete.c:\windows\system32\drivers\Cdr4_xp.sys . . . is infected!! . . . Failed to find a valid replacement..((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))..2011-10-31 07:10 . 2011-05-12 21:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys2011-10-31 06:35 . 2011-10-31 06:35 -------- d--h--w- c:\windows\PIF2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\7.tmp2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\6.tmp2011-10-31 06:19 . 2011-10-31 06:19 -------- d-----w- c:\program files\Sophos2011-10-31 05:56 . 2011-10-31 05:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-10-31 05:52 . 2011-10-31 06:16 -------- d-----w- c:\documents and settings\Tech2011-10-30 02:07 . 2011-10-30 02:07 709968 ----a-w- c:\windows\is-L8PTA.exe2011-10-30 01:11 . 2011-10-30 05:34 -------- d-----w- c:\documents and settings\Owner.salstation\DoctorWeb2011-10-30 01:05 . 2011-10-30 01:05 -------- d-----w- c:\documents and settings\Owner.salstation\Application Data\Malwarebytes2011-10-30 01:04 . 2011-10-30 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-10-30 01:04 . 2011-10-31 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-10-30 01:04 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-07 21:50 . 2005-04-04 06:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll2011-10-07 21:50 . 2005-04-04 06:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll2011-10-07 21:50 . 2005-04-04 06:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll2011-10-07 21:50 . 2005-04-04 06:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll2011-10-07 21:50 . 2005-04-04 05:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe2011-10-07 21:50 . 2005-04-04 05:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll2011-10-07 21:50 . 2011-10-07 21:50 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll2011-10-07 21:50 . 2011-10-07 21:50 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\Owner.salstation\Local Settings\Application Data\PackageAware...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-09-21 20:42 . 2011-09-21 20:43 472808 ----a-w- c:\windows\system32\deployJava1.dll2011-09-21 20:42 . 2008-08-15 20:25 73728 ----a-w- c:\windows\system32\javacpl.cpl2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnkbackup=c:\windows\pss\BigFix.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnkbackup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup.[HKLM\~\startupfolder\C:^Documents and Settings^Owner.salstation^Start Menu^Programs^Startup^LimeWire On Startup.lnk]path=c:\documents and settings\Owner.salstation\Start Menu\Programs\Startup\LimeWire On Startup.lnkbackup=c:\windows\pss\LimeWire On Startup.lnkStartup.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]2008-07-23 03:42 116040 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]2002-09-14 07:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]2005-02-25 08:24 966656 -c--a-w- c:\windows\creator\remind_xp.exe.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=.R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/31/2011 12:10 AM 18816]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/29/2011 7:07 PM 366152]R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2006 2:54 PM 200576]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/29/2011 6:04 PM 22216]S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [6/28/2008 4:49 PM 2944]S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [6/28/2008 4:49 PM 60416]S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [6/28/2008 4:49 PM 11008]S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [6/28/2008 4:49 PM 10368]S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 5:52 PM 69692]S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C.tmp --> c:\windows\system32\C.tmp [?].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12.Contents of the 'Scheduled Tasks' folder.2011-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57].2006-02-27 c:\windows\Tasks\ISP signup reminder 2.job- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12].2006-02-27 c:\windows\Tasks\ISP signup reminder 3.job- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12]..------- Supplementary Scan -------.uStart Page = hxxp://www.gateway.com/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.15.1FF - ProfilePath - .- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)SafeBoot-35825523.sysSafeBoot-73489664.sysSafeBoot-98467317.sysMSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exeMSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exeMSConfigStartUp-conhost - c:\documents and settings\Owner.salstation\Application Data\Microsoft\conhost.exeMSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1138403453\ee\AOLSoftware.exeMSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exeMSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exeMSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exeMSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exeMSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exeMSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exeMSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exeMSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exeMSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exeMSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exeMSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-10-31 00:53Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]"ImagePath"="\??\c:\windows\system32\C.tmp".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(896)c:\windows\system32\Ati2evxx.dllc:\windows\System32\BCMLogon.dll.- - - - - - - > 'explorer.exe'(396)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\windows\System32\wltrysvc.exec:\windows\System32\bcmwltry.exec:\windows\system32\Ati2evxx.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\windows\ehome\mcrdsvc.exec:\windows\system32\wscntfy.exec:\windows\eHome\ehmsas.exec:\windows\system32\dllhost.exe.**************************************************************************.Completion time: 2011-10-31 00:58:32 - machine was rebootedComboFix-quarantined-files.txt 2011-10-31 07:58.Pre-Run: 61,425,229,824 bytes freePost-Run: 61,495,447,552 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect.- - End Of File - - 751857D412965424BE1077471B25FA2C Link to post Share on other sites More sharing options...
Staff screen317 Posted November 4, 2011 Staff ID:491815 Share Posted November 4, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, download DDS by sUBs and save it to your Desktop. Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
Staff screen317 Posted November 12, 2011 Staff ID:493817 Share Posted November 12, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted November 21, 2011 Staff ID:496641 Share Posted November 21, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts