Total Security Help Needed

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: Total Security Help Needed

Post by Belahzur on 29th October 2009, 12:08 am

Please re-download Combofix and run it again, something must be hiding.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security Help Needed

Post by Jay Cee on 29th October 2009, 1:33 pm

ComboFix 09-10-28.06 - jcampanioni 10/29/2009 9:10.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -4:00]
Running from: c:\documents and settings\lguser\Desktop\commy.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bawutitu.dll
c:\windows\system32\gejuloha.dll
c:\windows\system32\jayukara.dll
c:\windows\system32\miyebelu.dll
c:\windows\system32\vamoyilo.dll
c:\windows\system32\wagitiru.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Protect


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-28 01:33 . 2009-10-28 01:33 -------- d-----w- C:\_OTM
2009-10-26 18:19 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 18:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 13:57 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-10-21 13:57 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2009-10-21 12:36 . 2009-10-21 12:36 60744 ----a-w- c:\documents and settings\lguser\g2mdlhlpx.exe
2009-10-19 00:10 . 2009-10-19 00:10 -------- d-----w- c:\program files\a-squared HiJackFree
2009-10-05 19:28 . 2009-10-29 12:39 -------- d-----w- C:\WWNtuser
2009-10-05 19:28 . 2009-10-05 19:28 -------- d-----w- C:\WWCnt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 13:21 . 2009-03-09 19:57 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-28 01:33 . 2009-09-17 18:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 12:21 . 2007-08-21 19:07 -------- d-----w- c:\program files\LGEAD
2009-10-21 12:36 . 2007-08-21 18:31 -------- d-----w- c:\program files\Citrix
2009-10-20 17:46 . 2007-08-21 18:31 -------- d-----w- c:\documents and settings\lguser\Application Data\ICAClient
2009-10-05 19:28 . 2007-08-21 18:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 15:31 . 2007-08-27 16:56 76304 ----a-w- c:\documents and settings\lguser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 22:58 . 2009-09-26 22:58 -------- d-----w- c:\documents and settings\lguser\Application Data\Notepad++
2009-09-26 22:58 . 2009-09-26 22:58 -------- d-----w- c:\program files\Notepad++
2009-09-25 05:37 . 2008-04-14 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 01:56 . 2009-09-25 01:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 14:56 . 2009-07-31 19:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-02 16:05 . 2007-10-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2007-08-21 17:54 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2007-08-21 17:54 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-08-21 17:54 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2007-08-21 17:54 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2008-04-14 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2007-08-21 17:54 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-08-21 17:54 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2008-04-14 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6FC59230-01FC-49D4-978C-6875091F0B4E}"= "c:\program files\MarkAny\Document SAFER\madocmgr.dll" [2005-09-22 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logoff\0\0]
"Script"=offInsert.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\0\0]
"Script"=AgentUnInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\1\0]
"Script"=DNSSearch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\2\0]
"Script"=twLogOn_2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\3\0]
"Script"=ie.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\4\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\5\0]
"Script"=setdns.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logoff\0\0]
"Script"=offInsert.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\0\0]
"Script"=AgentUnInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\1\0]
"Script"=DNSSearch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\2\0]
"Script"=ipid.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\3\0]
"Script"=ie.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\4\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-498307\Scripts\Logon\5\0]
"Script"=setdns.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDDec.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filehook.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProcHide.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\safandrv.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SDFA.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFCDEX.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFfolder.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFKbd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFMouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFRes.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wfM18.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WWC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WwHook.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WWCnt\\WwcNT.exe"=
"c:\\WWCnt\\System\\Rdscrn.exe"= c:\\WWCNT\\System\\Rdscrn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7100:TCP"= 7100:TCP:WWC
"7200:TCP"= 7200:TCP:WWC
"2810:TCP"= 2810:TCP:WWC

R0 FileHook;SAFASOFT File System Filter;c:\windows\system32\drivers\filehook.sys [7/29/2009 3:47 PM 46080]
R0 SFCDEX;WaterWall SFCDEX Filter;c:\windows\system32\drivers\sfcdex.sys [7/7/2009 9:04 AM 10240]
R1 PROCHIDE;ProcHide Driver;c:\windows\system32\drivers\ProcHide.sys [5/30/2008 8:20 AM 5632]
R1 Safandrv;Safandrv;c:\windows\system32\drivers\safandrv.sys [5/30/2008 8:20 AM 16191]
R1 SFkbd;SAFASOFT Keyboard Filter;c:\windows\system32\drivers\SFKbd.sys [5/30/2008 8:20 AM 4992]
R1 SFMouse;SAFASOFT Mouse Filter;c:\windows\system32\drivers\SFMouse.sys [5/30/2008 8:20 AM 5632]
R1 SFRes;SAFASOFT Resource Driver;c:\windows\system32\drivers\sfres.sys [5/30/2008 8:20 AM 34688]
R2 ADAgent;ADAgent;c:\program files\LGEAD\ADAgentService.exe [8/13/2008 5:36 PM 586752]
R2 SDFA;SDFA Driver;c:\windows\system32\drivers\SDFA.SYS [5/30/2008 8:20 AM 40960]
R2 SFfolder;SAFASOFT Encrpty Folder Driver;c:\windows\system32\drivers\SFFOLDER.SYS [5/30/2008 8:20 AM 35200]
R2 WWC;Ww Client 3.2 Agent;c:\wwcnt\WwcService.exe [6/2/2009 5:47 PM 233472]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 12:44 PM 102448]
R3 WwHook;WwHook Port Driver;c:\windows\system32\drivers\WWHOOK.SYS [5/30/2008 8:20 AM 7867]
S0 cerc6;cerc6; [x]
S0 wfM18;wfM18;c:\windows\system32\Drivers\wfM18.sys --> c:\windows\system32\Drivers\wfM18.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\lguser\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\lguser\LOCALS~1\Temp\aswArKrn.sys [?]
S3 FDDec;SAFASOFT Encrpty Mobile Driver;c:\windows\system32\drivers\FDDec.SYS [5/30/2008 8:20 AM 32384]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - SFCDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - mchInjDrv
*Deregistered* - SFCDEX_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: lge.com
TCP: {A33C4699-B92C-407E-B4AC-344A394BCB77} = 136.166.10.50,136.166.10.51
DPF: {19A9C0F9-C5FB-46A0-8B6D-A9E2D2944FEF} - [You must be registered and logged in to see this link.]
DPF: {245DF0F9-179F-4027-875A-0493B21C204F} - [You must be registered and logged in to see this link.]
DPF: {6A70986F-6565-4D86-849C-4713E1E41AA2} - [You must be registered and logged in to see this link.]
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - [You must be registered and logged in to see this link.]
DPF: {B102CB47-BE39-4572-BD36-EB978A5FF76C} - [You must be registered and logged in to see this link.]
DPF: {DFA53E3E-E703-4B36-9EE7-82101A6A43CC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\lguser\Application Data\Mozilla\Firefox\Profiles\ultj2jdw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2828f345-8474-4701-b14b-277a5e112263} - miyebelu.dll
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-sesemural - c:\windows\system32\bawutitu.dll
HKLM-Run-kuvulunubu - jayukara.dll
SharedTaskScheduler-{46fb5f9e-e0af-4096-bda2-9947404ccd71} - c:\windows\system32\damozibu.dll
SharedTaskScheduler-{ae3a61fe-0ef3-49e4-bda7-bf5d9ff5e7c3} - c:\windows\system32\bawutitu.dll
SSODL-jiwiwetej-{46fb5f9e-e0af-4096-bda2-9947404ccd71} - c:\windows\system32\damozibu.dll
SSODL-kaheluhud-{ae3a61fe-0ef3-49e4-bda7-bf5d9ff5e7c3} - c:\windows\system32\bawutitu.dll
SafeBoot-PROTECT.sys
AddRemove-{1AA8D54D-73C3-4706-A8F5-B3ADDBCA0FA8}_is1 - c:\program files\LGEAD\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-29 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SFCDEX.sys atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

atapi.sys @ 0xF7429000 0x17900 bytes

\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xF742F852 != 0xA8ED9D5E SFCDEX_2.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4020)
c:\wwcnt\SYSTEM\safaweb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\CCM\CcmExec.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\msiexec.exe
c:\wwcnt\SYSTEM\PMonitor.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-29 9:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 13:33
ComboFix2.txt 2009-10-27 02:00

Pre-Run: 2,863,534,080 bytes free
Post-Run: 2,948,947,968 bytes free

- - End Of File - - 941DDD21B199021CFE1192045F10869D

Jay Cee
Intermediate
Intermediate

Posts Posts : 98
Joined Joined : 2009-09-25
OS OS : XP
Points Points : 27148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security Help Needed

Post by Belahzur on 29th October 2009, 5:42 pm

Bad news.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Total Security Help Needed

Post by Jay Cee on 29th October 2009, 6:34 pm

This is a work computer so I rarely do any personal stuff on it besides emails, facebook, etc. I can easily change those passwords. Should I just tell my IT department that malwarebytes found this virus and have them reformat it? They get pretty anal about stuff so I don't want to mention I went thru this site and downloaded numerous other programs in an effort to combat it myself.

Jay Cee
Intermediate
Intermediate

Posts Posts : 98
Joined Joined : 2009-09-25
OS OS : XP
Points Points : 27148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Total Security Help Needed

Post by Belahzur on 29th October 2009, 8:49 pm

It's more than just a virus and reformat, this one has made a lot of damage that we can't repair.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum