Jump to content

Recommended Posts

Had same exact issue. I was actually able to fix this using only the infected computer, and it seems to have worked.

First, I went in to the control panel and Administrative Tools and then Services, and noticed that DHCP service wasn't started, so I started it, and I had internet. I had to go into my browser's preferences and turn off the Proxy server that had turned on.

Found this blog, downloaded the ComboFix.exe software from the link above, and let it run.

HERE'S THE LOG. I'm able to run Malwarebytes again, so I'm hoping I got rid of the problem, but am going to run multiple scanners just to be sure.

ComboFix 11-10-30.03 - Tech 10/31/2011 0:37.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.167 [GMT -7:00]

Running from: c:\documents and settings\Tech\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner.salstation\My Documents\~WRD0000.tmp

c:\documents and settings\Owner.salstation\My Documents\~WRL3053.tmp

c:\documents and settings\Owner.salstation\My Documents\~WRL3708.tmp

c:\documents and settings\Owner.salstation\WINDOWS

c:\documents and settings\Tech\WINDOWS

c:\windows\$NtUninstallKB63881$\2203856554

c:\windows\$NtUninstallKB63881$\580003044\@

c:\windows\$NtUninstallKB63881$\580003044\bckfg.tmp

c:\windows\$NtUninstallKB63881$\580003044\cfg.ini

c:\windows\$NtUninstallKB63881$\580003044\Desktop.ini

c:\windows\$NtUninstallKB63881$\580003044\keywords

c:\windows\$NtUninstallKB63881$\580003044\kwrd.dll

c:\windows\$NtUninstallKB63881$\580003044\L\dmaarltv

c:\windows\$NtUninstallKB63881$\580003044\lsflt7.ver

c:\windows\$NtUninstallKB63881$\580003044\U\00000001.@

c:\windows\$NtUninstallKB63881$\580003044\U\00000002.@

c:\windows\$NtUninstallKB63881$\580003044\U\80000000.@

c:\windows\$NtUninstallKB63881$\580003044\U\80000032.@

c:\windows\kb913800.exe

c:\windows\system32\config\systemprofile\WINDOWS

D:\Autorun.inf

c:\windows\$NtUninstallKB63881$ . . . . Failed to delete

.

c:\windows\system32\drivers\Cdr4_xp.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))

.

.

2011-10-31 07:10 . 2011-05-12 21:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2011-10-31 06:35 . 2011-10-31 06:35 -------- d--h--w- c:\windows\PIF

2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\7.tmp

2011-10-31 06:20 . 2011-05-12 21:03 6144 ------w- c:\windows\system32\6.tmp

2011-10-31 06:19 . 2011-10-31 06:19 -------- d-----w- c:\program files\Sophos

2011-10-31 05:56 . 2011-10-31 05:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-31 05:52 . 2011-10-31 06:16 -------- d-----w- c:\documents and settings\Tech

2011-10-30 02:07 . 2011-10-30 02:07 709968 ----a-w- c:\windows\is-L8PTA.exe

2011-10-30 01:11 . 2011-10-30 05:34 -------- d-----w- c:\documents and settings\Owner.salstation\DoctorWeb

2011-10-30 01:05 . 2011-10-30 01:05 -------- d-----w- c:\documents and settings\Owner.salstation\Application Data\Malwarebytes

2011-10-30 01:04 . 2011-10-30 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-30 01:04 . 2011-10-31 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-30 01:04 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-07 21:50 . 2005-04-04 06:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll

2011-10-07 21:50 . 2005-04-04 06:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll

2011-10-07 21:50 . 2005-04-04 06:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll

2011-10-07 21:50 . 2005-04-04 06:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll

2011-10-07 21:50 . 2005-04-04 05:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe

2011-10-07 21:50 . 2005-04-04 05:57 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-10-07 21:50 . 2011-10-07 21:50 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

2011-10-07 21:50 . 2011-10-07 21:50 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll

2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2011-10-07 00:06 . 2011-10-07 00:06 -------- d-----w- c:\documents and settings\Owner.salstation\Local Settings\Application Data\PackageAware

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-21 20:42 . 2011-09-21 20:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-09-21 20:42 . 2008-08-15 20:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.salstation^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\documents and settings\Owner.salstation\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2008-07-23 03:42 116040 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 17:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 07:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2005-02-25 08:24 966656 -c--a-w- c:\windows\creator\remind_xp.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [10/31/2011 12:10 AM 18816]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/29/2011 7:07 PM 366152]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2006 2:54 PM 200576]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/29/2011 6:04 PM 22216]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [6/28/2008 4:49 PM 2944]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [6/28/2008 4:49 PM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [6/28/2008 4:49 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [6/28/2008 4:49 PM 10368]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 5:52 PM 69692]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\C.tmp --> c:\windows\system32\C.tmp [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]

.

2006-02-27 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12]

.

2006-02-27 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2005-11-23 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.gateway.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.15.1

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-35825523.sys

SafeBoot-73489664.sys

SafeBoot-98467317.sys

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe

MSConfigStartUp-conhost - c:\documents and settings\Owner.salstation\Application Data\Microsoft\conhost.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1138403453\ee\AOLSoftware.exe

MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe

MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe

MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe

MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe

MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe

MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe

MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-31 00:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\C.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(396)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\wltrysvc.exe

c:\windows\System32\bcmwltry.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2011-10-31 00:58:32 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-31 07:58

.

Pre-Run: 61,425,229,824 bytes free

Post-Run: 61,495,447,552 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 751857D412965424BE1077471B25FA2C

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.