Having some trouble with malware

View previous topic View next topic Go down

Having some trouble with malware

Post by Vargas on 18th June 2009, 11:40 pm

Earlier today I was infected with System Security 4.51. I followed the instructions using IceSword.exe (renamed to winlogon.exe) and had success removing the desktop image and System Security. However, I am unable to run MalWareBytes. When I try to open it I see an hourglass for a few seconds and then nothing, no error message or anything, it simply does not open.

Please help, this is incredibly frustrating.

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Belahzur on 18th June 2009, 11:44 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Vargas on 18th June 2009, 11:47 pm

I downloaded the file and tried to open the installer but the same thing is occurring. It shows an hourglass like it's opening the program but then nothing happens.

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Vargas on 18th June 2009, 11:53 pm

Okay, on a whim I decided to follow some advice from a different post in regards to saving the HJT file as HJT-Install instead of HJTInstall.exe. This allowed me to open HiJack This. Here is the log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:33 PM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\mbam-set-up.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\is-KLDQ7.tmp\mbam-set-up.tmp
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - * - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 8044 bytes

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Vargas on 19th June 2009, 12:13 am

While waiting for a response I decided to try to run Spybot S&D; got the same results (hourglass, then nothing). It also happens when I try to run Malware Bytes' Anti-Malware. This is super frustrating because I have seen many people suggesting MBAM, but I have installed it about four times and can NOT get it to open. In addition, it takes about 30+ minutes for it to install each time, so I'm going crazy here.

I don't know how valuable this information is, but I ran SDFix earlier (in safe mode) and this is what came up in the report:


SDFix: Version 1.240
Run by Compaq_Administrator on Thu 06/18/2009 at 02:59 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Compaq_Administrator\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-18 15:43:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Compaq_Administrator\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:Earthlink"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Disabled:GameSpy Arcade"
"C:\\Program Files\\iMesh Applications\\iMesh6\\iMesh6.exe"="C:\\Program Files\\iMesh Applications\\iMesh6\\iMesh6.exe:*:Disabled:iMesh 6"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"="C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe:*:Disabled:lh"
"C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\CreatureIsle\\CreatureIsle.exe"="C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\CreatureIsle\\CreatureIsle.exe:*:Disabled:lh"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Disabled:Medal of Honor Allied Assault"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Disabled:P2P Networking"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Disabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Disabled:Starcraft"
"C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Starcraft\\starcraft.exe"="C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Starcraft\\starcraft.exe:*:Disabled:Starcraft"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"="C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE:*:Disabled:Age of Empires"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Disabled:Age of Empires II"
"C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Downloads\\Age of Empires\\empires2.exe"="C:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Downloads\\Age of Empires\\empires2.exe:*:Disabled:Age of Empires II"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe:*:Disabled:Age of Empires II Expansion"
"C:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe:*:Disabled:AIM"
"C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"="C:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe:*:Disabled:Blizzard Launcher"
"C:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Temp\\Blizzard Launcher Temporary - 9ef723b8\\Launcher.exe"="C:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Temp\\Blizzard Launcher Temporary - 9ef723b8\\Launcher.exe:*:Disabled:Blizzard Launcher"
"C:\\Program Files\\Curse\\CurseClient.exe"="C:\\Program Files\\Curse\\CurseClient.exe:*:Disabled:Curse Client"
"C:\\Program Files\\Steam\\steamapps\\tf2free\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\tf2free\\team fortress 2\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\jewbert68\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\jewbert68\\team fortress 2\\hl2.exe:*:Disabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Disabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Disabled:Microsoft Office Outlook"
"C:\\Program Files\\Rocky Mountain Trophy Hunter 3\\Rocky Mountain Trophy Hunter 3.exe"="C:\\Program Files\\Rocky Mountain Trophy Hunter 3\\Rocky Mountain Trophy Hunter 3.exe:*:Disabled:Rocky Mountain Trophy Hunter 3"
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"="C:\\Program Files\\VentSrv\\ventrilo_srv.exe:*:Disabled:ventrilo_srv"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 16 Jan 2006 211 A.SHR --- "C:\BOOT.BAK"
Thu 18 Jun 2009 24,576 ..SH. --- "C:\Program Files\Manson\liser.dll"
Thu 18 Jun 2009 61,440 ..SHR --- "C:\Program Files\Manson\liser.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 22 Jan 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 5 May 2009 12,181 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL1265.tmp"
Thu 28 May 2009 10,053,112 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Sat 20 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 22 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\My Music\License Backup\drmv1key.bak"
Wed 26 Apr 2006 12,943 A.SH. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\My Music\License Backup\drmv2key.bak"

Finished!

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Belahzur on 19th June 2009, 12:23 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - * - (no file)
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe
    O18 - Filter hijack: text/html - (no CLSID) - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Vargas on 19th June 2009, 1:06 am

ComboFix 09-06-18.02 - Compaq_Administrator 06/18/2009 17:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1553 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Manson
c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
c:\windows\IE4 Error Log.txt
c:\windows\kb913800.exe
c:\windows\system32\drivers\UACyiurqrrnmqfwosd.sys
c:\windows\system32\UACbnrpulpwhiamigc.dll
c:\windows\system32\UACeyrqoxevdajgsmr.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiummygbmaivmvwq.log
c:\windows\system32\UACorjasqtxwujklvv.dll
c:\windows\system32\UACotewpkbuoesoxvk.dat
c:\windows\system32\UACpqgpuevytvneuee.log
c:\windows\system32\UACqjkhximkrsmyoll.dll
c:\windows\system32\UACrwtnbgixdlxwbpj.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACuxjvymnnjfboapq.dll
c:\windows\system32\UACvpyxfddnaevlabn.db
c:\windows\system32\UACyjbbpxnwuphhqbd.dll
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 23:51 . 2009-06-18 23:51 -------- d-----w- c:\program files\Trend Micro
2009-06-18 21:57 . 2009-06-18 21:57 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-06-18 21:47 . 2009-06-18 21:48 -------- d-----w- c:\windows\ERUNT
2009-06-18 19:01 . 2009-06-18 19:05 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-18 15:41 . 2009-06-18 12:52 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-18 15:41 . 2009-06-18 12:52 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-18 15:40 . 2009-06-18 12:52 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-06-18 15:40 . 2009-06-18 12:52 352024 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-06-18 15:40 . 2009-06-18 12:52 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-18 15:40 . 2009-06-18 12:52 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-18 15:40 . 2009-06-18 12:52 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-18 14:48 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 14:48 . 2009-06-18 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 14:48 . 2009-06-18 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-18 14:48 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 13:43 . 2009-06-18 13:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-06-18 13:03 . 2009-06-02 20:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-18 12:52 . 2009-06-18 12:52 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-18 12:52 . 2009-06-18 12:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-18 12:52 . 2009-06-18 12:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-18 12:52 . 2009-06-18 15:32 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-18 12:52 . 2009-06-18 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-18 12:52 . 2009-06-18 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 12:52 . 2009-06-18 12:52 -------- d-----w- c:\program files\AVG
2009-06-18 12:22 . 2009-06-18 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-18 12:22 . 2009-06-18 12:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-18 12:15 . 2009-06-18 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\93755456
2009-06-18 12:15 . 2009-06-18 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\13745464
2009-05-29 04:37 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-29 04:37 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-29 04:32 . 2009-05-29 04:32 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-05-21 17:09 . 2009-06-12 07:24 -------- d-----w- c:\program files\MyRegistryCleaner
2009-05-21 17:08 . 2009-05-21 17:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\GetRightToGo
2009-05-21 17:02 . 2009-05-21 17:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Uniblue
2009-05-21 16:52 . 2009-05-21 16:52 -------- d-----w- c:\program files\PopCap Games
2009-05-21 16:52 . 2009-05-21 16:52 0 ----a-w- c:\windows\popcreg.dat
2009-05-21 16:52 . 2009-05-21 16:52 0 ----a-w- c:\windows\popcinfot.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 23:05 . 2007-04-03 23:30 -------- d-----w- c:\program files\BitLord
2009-06-18 15:51 . 2006-01-16 20:17 115224 ----a-w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 15:40 . 2007-07-23 23:57 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-29 04:32 . 2005-11-11 21:41 -------- d-----w- c:\program files\Google
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-08-10 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 21:04 . 2006-03-08 08:49 96384 ----a-w- c:\windows\system32\drivers\sptd1677.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 00:42 . 2005-01-28 17:40 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-15 00:42 . 2009-04-15 00:42 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-04-15 00:42 . 2009-04-15 00:42 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-04-15 00:42 . 2009-04-15 00:42 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-04-15 00:42 . 2009-04-15 00:42 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-04-15 00:42 . 2009-04-15 00:42 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-04-15 00:42 . 2009-04-15 00:42 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-04-15 00:42 . 2009-04-15 00:42 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-04-15 00:42 . 2009-04-15 00:42 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-18 12:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^The Matrix_ Path of Neo Registration.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\The Matrix_ Path of Neo Registration.lnk
backup=c:\windows\pss\The Matrix_ Path of Neo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"freenet-darknet-8888"=3 (0x3)
"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Downloads\\Age of Empires\\empires2.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137892249\\ee\\aim6.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\My Documents\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2009 5:52 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2009 5:52 AM 108552]
S3 ATIXPGAA;ATIXPGAA;\??\c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS --> c:\program files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/18/2009 5:52 AM 298776]
S4 freenet-darknet-8888;Freenet 0.7 darknet-8888;"c:\program files\Freenet\bin\wrapper-windows-x86-32.exe" -s "c:\program files\Freenet\wrapper.conf" --> c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-18 18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-19 18:01
ComboFix-quarantined-files.txt 2009-06-19 01:01

Pre-Run: 123,561,631,744 bytes free
Post-Run: 124,139,151,360 bytes free

197 --- E O F --- 2009-06-12 21:02

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Vargas on 19th June 2009, 2:43 am

I ran ComboFix and after restarting my computer I was allowed to open Malwarebytes' Anti-Malware. Here is the log I received upon completion of that particular scan. Things seem to be working okay now, I am going to restart and see whether or not Spybot S&D will open. Is there anything within this log of interest?



Malwarebytes' Anti-Malware 1.38
Database version: 2306
Windows 5.1.2600 Service Pack 3

6/18/2009 7:41:14 PM
mbam-log-2009-06-18 (19-41-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 233610
Time elapsed: 42 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\program files\Manson\liser.dll.vir (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\Manson\liser.exe.vir (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACbnrpulpwhiamigc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACorjasqtxwujklvv.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACqjkhximkrsmyoll.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACuxjvymnnjfboapq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACyjbbpxnwuphhqbd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP730\A0151823.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153121.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153122.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153123.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153124.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153125.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153145.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b9823275-d858-498b-a4dc-c4eeda322f67}\RP737\A0153146.exe (Spyware.Agent) -> Quarantined and deleted successfully.

Vargas
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-06-18
OS OS : XP
Points Points : 27309
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having some trouble with malware

Post by Belahzur on 19th June 2009, 8:28 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum