Computer infected pretty badly with Malware

View previous topic View next topic Go down

Computer infected pretty badly with Malware

Post by stevo90277 on Mon Oct 26, 2009 10:10 pm

Hello, I acquired an infection which took over most of my computer. I disconnected from the internet and from a different computer, began researching how to disinfect it, but it looks to be too deep for me, can one of you experts assist?

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Tue Oct 27, 2009 12:08 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Tue Oct 27, 2009 12:29 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:15 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\SttService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\LGFB26.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\DOCUME~1\price\LOCALS~1\Temp\wscsvc32.exe
E:\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Eqiwek] rundll32.exe "C:\WINDOWS\evebamom.dll",Startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = net.plm.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6B288D1-1097-4AEB-A55C-5B845832FF70}: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O20 - AppInit_DLLs: ratirupu.dll
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - Unknown owner - c:\program files\mobile automation\rstate.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Stt Services (SttService) - Unknown owner - C:\WINDOWS\SttService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware VDM Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe

--
End of file - 11025 bytes

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Tue Oct 27, 2009 7:46 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
    O1 - Hosts: 91.212.127.226 osguard-pro.com
    O1 - Hosts: 91.212.127.226 [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
    O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
    O4 - HKLM\..\Run: [Eqiwek] rundll32.exe "C:\WINDOWS\evebamom.dll",Startup
    O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0
    O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\price\LOCALS~1\Temp\y2o3swj.exe
    O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\price\LOCALS~1\Temp\wow64main.exe
    O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\price\LOCALS~1\Temp\3519986172.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O20 - AppInit_DLLs: ratirupu.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Wed Oct 28, 2009 4:16 pm

Mbam log

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/27/2009 10:53:33 PM
mbam-log-2009-10-27 (22-53-33).txt

Scan type: Quick Scan
Objects scanned: 126843
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\price\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

--------------------------
In addition, I got some dialog popups on startup:

1st popup
Header: rundll32.exe - Bad Image
Info: The application or DLL C:\DOCUME~1\NETWOR~1\ntuser.dll is not a valid Windows image. Please check this against your installation diskette.

2nd popup
Header: RUNDLL
Info: Error loading C:\DOCUME~1\NETWOR~1\ntuser.dll

%1 is not a valid Win32 application.

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Wed Oct 28, 2009 9:21 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Wed Oct 28, 2009 9:46 pm

Due to the malware, I disconnected the infected computer from the internet and have been corresponding with you on a separate machine. To get mbam, I downloaded it, installed it, updated it, and ran it all from a jump drive. Is this acceptable?

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Thu Oct 29, 2009 12:23 am

Don't think that will work, we'll have to use this.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Sun Nov 22, 2009 6:53 pm

ComboFix 09-11-21.03 - price 11/22/2009 9:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2963 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome.manifest
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\_cfg.js
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\chrome\content\overlay.xul
c:\documents and settings\price\Local Settings\Application Data\{74F017F0-8506-4FFF-A5F6-F564D8E279FF}\install.rdf
c:\documents and settings\price\ntuser.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\price\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-1024183140-2997838336-3344170229-500
c:\recycler\S-1-5-21-1154051771-3337579795-2169959840-500
c:\recycler\S-1-5-21-1687308215-1492714699-3125069277-500
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-1004
c:\recycler\S-1-5-21-1715567821-1637723038-725345543-500
c:\recycler\S-1-5-21-1808509001-2669391744-3598713614-1015
c:\recycler\S-1-5-21-1916751870-1504642916-2163861243-500
c:\recycler\S-1-5-21-2210005112-3894602836-3136207814-500
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-1003
c:\recycler\S-1-5-21-2641836117-3391798788-1020401150-500
c:\recycler\S-1-5-21-2820340151-974736829-3225031353-500
c:\recycler\S-1-5-21-3029029702-2035401049-268590511-1015
c:\recycler\S-1-5-21-381596900-2956720227-2096382093-500
c:\recycler\S-1-5-21-4176429844-1514365582-2073545320-500
c:\recycler\S-1-5-21-546876832-141316095-377355887-500
c:\recycler\S-1-5-21-859959763-3936455684-3026372322-1015
c:\windows\evebamom.dll
c:\windows\irc.txt
c:\windows\system32\BtwSrv.dll
c:\windows\system32\Cache
c:\windows\system32\fuyewabe.dll
c:\windows\system32\Install.txt
c:\windows\system32\kekilule.exe
c:\windows\system32\lsm32.sys
c:\windows\system32\pawebehe.exe
c:\windows\system32\pepilose.exe
c:\windows\system32\ratirupu.dll
c:\windows\system32\wulukimi.exe

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe
2009-11-18 02:52 . 2009-11-21 15:13 120 ----a-w- c:\windows\Xluxeqicox.dat
2009-11-18 02:52 . 2009-11-21 09:28 0 ----a-w- c:\windows\Hlusuqahiv.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Eqiwek - c:\windows\evebamom.dll
AddRemove-eMusic Promotion - c:\program files\Winamp\eMusic\Uninst-eMusic-promotion.exe
AddRemove-HijackThis - E:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-22 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(3540)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\TEMP\XQA53D.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-11-22 10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 18:49

Pre-Run: 147,931,267,072 bytes free
Post-Run: 147,994,546,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional 3gb Switch" /noexecute=optin /fastdetect /3gb

- - End Of File - - CCB95517B94ADA89529E086E9F1DBB70

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Sun Nov 22, 2009 7:32 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\Xluxeqicox.dat
    c:\windows\Hlusuqahiv.bin

    NetSvc::
    BtwSrv
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Sun Nov 22, 2009 10:28 pm

ComboFix 09-11-22.02 - price 11/22/2009 13:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3033 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
Command switches used :: e:\debug malware\Software\ComboFix\CFscript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"c:\windows\Hlusuqahiv.bin"
"c:\windows\Xluxeqicox.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hlusuqahiv.bin
c:\windows\Xluxeqicox.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 17:53 . 2009-11-22 18:49 -------- d-----w- C:\Combo-Fix
2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-22 13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7857000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<< >>UNKNOWN [0xF7707000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll
.
Completion time: 2009-11-22 13:08
ComboFix-quarantined-files.txt 2009-11-22 21:08
ComboFix2.txt 2009-11-22 18:49

Pre-Run: 147,872,690,176 bytes free
Post-Run: 147,946,233,856 bytes free

- - End Of File - - 035A2CFDE98E02BC23692C8A1420441D

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Mon Nov 23, 2009 12:37 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by stevo90277 on Mon Nov 23, 2009 1:57 am

The machine is running good. I will follow up on this post after some more interaction, meanwhile here is the output of the combofix log after I ran it as you outlined:



ComboFix 09-11-22.04 - price 11/22/2009 17:01.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2911 [GMT -8:00]
Running from: e:\debug malware\Software\ComboFix\Combo-Fix.exe
Command switches used :: /u
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {0DAA9119-FD08-45C7-A0D4-435C2125DC25}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {63AEB1F9-3232-41B0-85E9-57A26F039C34}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E6508629-3691-4CDC-A98C-DBB1C46CE0E8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {EE66AC07-84E2-41D3-A1F6-CAA0156912A4}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07F71C9E-8DE4-4226-B23A-C065A56821F8}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {0BEAD907-62D3-45B6-91D7-1B7B378434FD}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {495CC023-7AA3-4062-9163-DAFC95BCCB95}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {6789DEB4-4214-4AE8-A310-E2DED4AE8079}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {9DFB6C67-B09B-451B-96C8-8F03241927EE}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {D5C7FEBD-12D0-4782-8AD7-6B290082768C}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {DE57F669-2848-4BDC-83C0-C5C7E3AF3D7B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {63AEB1F9-3232-41B0-85E9-57A26F039C34}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {71A20E43-2C24-456C-AF94-9682743CB5C4}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-22 21:03 . 2009-11-22 21:08 -------- d-----w- C:\Combo-Fix11594C
2009-11-22 17:53 . 2009-11-22 18:49 -------- d-----w- C:\Combo-Fix
2009-11-21 15:46 . 2009-11-21 15:46 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 18:08 . 2009-10-23 05:05 6174 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-18 03:01 . 2009-09-02 14:43 -------- d-----w- c:\program files\stt
2009-10-26 20:43 . 2009-10-16 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 04:31 . 2009-06-19 00:19 70920 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\price\Application Data\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\program files\Winamp Toolbar
2009-10-23 02:14 . 2009-10-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-10-16 04:21 . 2009-10-16 03:54 -------- d-----w- c:\program files\eqsydv
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\price\Application Data\Malwarebytes
2009-10-16 04:13 . 2009-10-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 03:56 . 2009-10-13 04:05 -------- d-----w- c:\program files\Cheat Engine
2009-10-14 02:41 . 2008-06-29 05:17 26945 ----a-w- c:\windows\system32\nvModes.dat
2009-09-10 21:54 . 2009-10-16 04:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-10-16 04:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 02:25 . 2009-09-09 02:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2008-06-12 12:53 . 2008-09-22 22:57 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-06-12 12:53 . 2008-09-22 22:57 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-06-12 12:53 . 2008-09-22 22:57 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-06-12 12:53 . 2008-09-22 22:57 949760 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2008-06-12 12:53 . 2008-09-22 22:57 955904 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
2008-06-12 12:53 . 2008-09-22 22:57 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-07-09 21:30 . 2007-07-09 21:30 57344 ----a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-06-04 5069648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-03-16 1028160]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2009-07-27 718120]
"Malwarebytes Anti-Malware (reboot)"="e:\debug malware\Software\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2007-10-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2003-11-05 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2009-06-04 5069648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-06-29 05:49 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\windows\system32\drivers\aacsas.sys [9/15/2008 9:12 AM 81035]
R0 adp94xx;adp94xx;c:\windows\system32\drivers\adp94xx.sys [9/15/2008 9:12 AM 360960]
R0 AFAMgt;AFAMgt;c:\windows\system32\drivers\afamgt.sys [9/15/2008 9:12 AM 91707]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/15/2008 9:12 AM 119808]
R0 amdbusdr;amdbusdr;c:\windows\system32\drivers\AmdBusDr.sys [9/15/2008 9:12 AM 29696]
R0 arcm_x86;arcm_x86;c:\windows\system32\drivers\arcm_x86.sys [9/15/2008 9:12 AM 25888]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/15/2008 9:12 AM 6016]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [9/15/2008 9:12 AM 7680]
R0 FastSx;FastSx;c:\windows\system32\drivers\FastSx.sys [9/15/2008 9:12 AM 167424]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [9/15/2008 9:12 AM 65536]
R0 fttxr5_O;fttxr5_O;c:\windows\system32\drivers\fttxr5_O.sys [9/15/2008 9:12 AM 177152]
R0 fttxr52P;fttxr52P;c:\windows\system32\drivers\fttxr52P.sys [9/15/2008 9:12 AM 160256]
R0 HpCISSm2;HpCISSm2;c:\windows\system32\drivers\HpCISSm2.sys [9/15/2008 9:12 AM 23040]
R0 Hpt366;Hpt366;c:\windows\system32\drivers\Hpt366.sys [9/15/2008 9:12 AM 22880]
R0 hpt374;hpt374;c:\windows\system32\drivers\hpt374.sys [9/15/2008 9:12 AM 108150]
R0 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys [9/15/2008 9:12 AM 14496]
R0 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys [9/15/2008 9:12 AM 65024]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [9/15/2008 9:12 AM 26112]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [9/15/2008 9:12 AM 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [9/15/2008 9:12 AM 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [9/15/2008 9:12 AM 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [9/15/2008 9:12 AM 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [9/15/2008 9:12 AM 52480]
R0 MegaIDE;MegaIDE;c:\windows\system32\drivers\MegaIDE.sys [9/15/2008 9:12 AM 163277]
R0 MegaINTL;MegaINTL;c:\windows\system32\drivers\MegaINTL.sys [9/15/2008 9:12 AM 177536]
R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [9/15/2008 9:12 AM 34432]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [9/15/2008 9:12 AM 143360]
R0 mv64xx;mv64xx;c:\windows\system32\drivers\mv64xx.sys [9/15/2008 9:12 AM 212480]
R0 mvSata;mvSata;c:\windows\system32\drivers\mvsata.sys [9/15/2008 9:12 AM 43520]
R0 nfrd960;IBM ServeRAID 4M/4L/4Mx/4Lx/5i/6M/6i/7k Device Driver;c:\windows\system32\drivers\nfrd960.sys [9/15/2008 9:12 AM 74747]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [1/23/2006 1:19 PM 254208]
R0 Pnp649r;CMD IDE Raid Controller;c:\windows\system32\drivers\pnp649r.sys [9/15/2008 9:12 AM 66889]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [9/15/2008 9:12 AM 71720]
R0 raidsrc;raidsrc;c:\windows\system32\drivers\raidsrc.sys [9/15/2008 9:12 AM 45392]
R0 S150sx8;S150sx8;c:\windows\system32\drivers\S150sx8.sys [9/15/2008 9:12 AM 36864]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [9/15/2008 9:12 AM 110128]
R0 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [9/15/2008 9:12 AM 61952]
R0 SI3124;SiI-3124 SATALink Controller;c:\windows\system32\drivers\SI3124.sys [9/15/2008 9:12 AM 81960]
R0 SI3124r;SiI-3124 SATARaid Controller;c:\windows\system32\drivers\SI3124r.sys [9/15/2008 9:12 AM 100881]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\3124r5A2.sys [9/15/2008 9:12 AM 207152]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9/15/2008 9:12 AM 210736]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [9/15/2008 9:11 AM 46464]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [9/15/2008 9:11 AM 68864]
R0 sisraidx;sisraidx;c:\windows\system32\drivers\sisraidx.sys [9/15/2008 9:11 AM 47616]
R0 sptrak;sptrak;c:\windows\system32\drivers\sptrak.sys [9/15/2008 9:12 AM 41216]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [9/15/2008 9:12 AM 125952]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [9/15/2008 9:11 AM 29184]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/28/2006 5:57 AM 17968]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [12/11/2006 9:12 AM 87664]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 5:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 2:51 PM 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/4/2009 7:15 AM 24521]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [11/14/2006 8:49 AM 398720]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/25/2009 5:34 AM 338960]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 2:45 PM 21504]
S0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [9/15/2008 9:12 AM 100224]
S0 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys [9/15/2008 9:12 AM 93696]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [9/15/2008 9:12 AM 9809]
S0 lsi_sas2;lsi_sas2;c:\windows\system32\drivers\lsi_sas2.sys [9/15/2008 9:12 AM 93184]
S0 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys [9/15/2008 9:12 AM 83200]
S0 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys [9/15/2008 9:12 AM 107296]
S0 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys [9/15/2008 9:12 AM 101888]
S0 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys [9/15/2008 9:12 AM 102400]
S2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\mobile automation\rstate.exe" --> c:\program files\mobile automation\rstate.exe [?]
S2 SttService;Stt Services;c:\windows\SttService.exe [9/2/2009 6:43 AM 36923]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 5:34 PM 225808]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [3/16/2007 4:33 PM 81992]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/4/2009 7:15 AM 835584]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 4:00 AM 14336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/4/2009 7:15 AM 155216]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [5/25/2009 5:34 AM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/25/2009 5:30 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-18 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2009-09-02 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-22 17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x80800000]<< >>UNKNOWN [0xF7857000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF72A1000]<< >>UNKNOWN [0x80A0D000]<< >>UNKNOWN [0xF7A4F000]<< >>UNKNOWN [0xF7707000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf765bf28
\Driver\ACPI -> 0xf735ecb8
\Driver\atapi -> 0xf72a7852
\Driver\iaStor -> 0xf7214002
IoDeviceObjectType -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x808ac6a8
ParseProcedure -> 0x808ab7e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xf695ebb0
PacketIndicateHandler -> 0xf696ba21
SendHandler -> 0xf694987b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(1680)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-22 17:06
ComboFix-quarantined-files.txt 2009-11-23 01:06
ComboFix2.txt 2009-11-22 21:08
ComboFix3.txt 2009-11-22 18:49

Pre-Run: 147,959,373,824 bytes free
Post-Run: 147,942,064,128 bytes free

- - End Of File - - 044EA539826F2FAFE64E6EFE844D1DBA

stevo90277
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-10-23
OS OS : Windows XP
Points Points : 26342
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Computer infected pretty badly with Malware

Post by Belahzur on Mon Nov 23, 2009 8:36 pm

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum