Antivirus System pro

View previous topic View next topic Go down

Re: Antivirus System pro

Post by sajeev_p on 8th January 2010, 11:34 pm

Hi,

I ran the system look again as per the code provided, Also ran the Combofix with the CFscript. But something peculiar happened before combofix ran, it gave a message saying combofix needs to be updated, then it connected to some server, updated itself and then ran producing a log. is this normal?

Anyways please find the logs below for system look and combofix.

1. System look:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:56 on 08/01/2010 by Sajeev (Administrator - Elevation successful)

========== filefind ==========

Searching for "*uridsys*"
No files found.

Searching for "* .exe"
No files found.

-=End Of File=-

2. Combofix(commy) ran with the CFScript provided- Log:

ComboFix 10-01-04.01 - Sajeev 01/08/2010 13:09:09.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.1008 [GMT -8:00]
Running from: c:\users\Sajeev\Desktop\Commy.exe
Command switches used :: c:\users\Sajeev\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-08 21:14 . 2010-01-08 21:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-08 21:09 . 2004-08-04 11:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2010-01-08 21:06 . 2010-01-08 21:07 -------- d-----w- C:\32788R22FWJFW
2010-01-05 09:57 . 2010-01-05 09:57 144160 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\uninstall.exe
2010-01-05 09:57 . 2010-01-05 09:57 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Move Networks
2009-12-27 21:50 . 2009-12-27 21:54 -------- d-----w- C:\Commy28393C
2009-12-24 22:15 . 2009-12-24 22:31 -------- d-----w- C:\Commy29355C
2009-12-22 08:30 . 2009-12-22 08:39 -------- d-----w- C:\Commy
2009-12-20 02:36 . 2009-12-20 02:36 -------- d-----w- c:\users\Sajeev\AppData\Local\Apple Computer
2009-12-19 10:23 . 2009-12-19 10:23 -------- d-----w- c:\programdata\Kaspersky Lab
2009-12-14 08:43 . 2009-12-14 08:46 -------- d-----w- c:\programdata\RosettaStoneLtdServices
2009-12-14 08:43 . 2009-12-14 08:43 -------- d-----w- c:\program files\RosettaStoneLtdServices

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 09:57 . 2009-12-07 01:22 5603776 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2010-01-03 04:07 . 2009-12-01 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 04:07 . 2009-12-09 00:55 5061520 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-01 07:01 . 2008-01-26 20:13 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-30 22:55 . 2009-12-01 12:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54 . 2009-12-01 12:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 21:16 . 2009-12-08 23:50 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Skype
2009-12-28 21:19 . 2007-04-29 22:28 7808 ----a-w- c:\users\Sajeev\AppData\Local\d3d9caps.dat
2009-12-22 05:16 . 2007-01-01 20:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-19 04:40 . 2009-12-01 12:57 120 ----a-w- c:\users\Pennu\AppData\Local\Nqehil.dat
2009-12-19 02:03 . 2009-12-01 12:57 0 ----a-w- c:\users\Pennu\AppData\Local\Aqipuz.bin
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\users\Sajeev\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 01:09 . 2009-12-04 01:08 -------- d-----w- c:\users\Pennu\AppData\Roaming\Winamp
2009-12-01 20:50 . 2008-01-10 17:03 7808 ----a-w- c:\users\Pennu\AppData\Local\d3d9caps.dat
2009-12-01 12:54 . 2009-12-01 12:54 -------- d-----w- c:\users\Pennu\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\users\Sajeev\AppData\Roaming\Malwarebytes
2009-12-01 12:15 . 2009-12-01 12:15 -------- d-----w- c:\programdata\Malwarebytes
2009-12-01 10:52 . 2009-12-01 10:52 2962 ----a-w- c:\users\Pennu\AppData\Local\arafecufica.dll
2009-12-01 09:03 . 2009-12-01 09:03 2962 ----a-w- c:\users\Pennu\AppData\Local\ikivehadaj.dll
2009-11-25 11:21 . 2009-01-10 01:11 -------- d-----w- c:\program files\McAfee
2009-11-21 06:40 . 2009-12-22 01:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-22 01:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-22 01:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-22 01:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 13:34 . 2009-12-09 10:16 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-09 10:16 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:17 . 2009-12-09 10:16 396800 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 07:59 . 2009-11-25 11:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 15:01 . 2009-12-09 02:57 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2007-03-11 09:39 . 2007-03-11 09:39 88 --sha-r- c:\windows\System32\20B142885A.sys
2007-03-11 09:40 . 2007-03-11 09:39 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-01-05 20:18 . 2007-01-05 20:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DellTransferAgent"="c:\programdata\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-01 26112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 756248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-30 1389904]

c:\users\Sajeev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-1-1 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-6 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-4-6 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-24 19:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-24 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-08 13:14
Windows 6.0.6000 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
@Denied: (A) (Everyone)
@="{130DD502-9E74-4187-839C-C35B3164EAB6}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-08 13:17:48
ComboFix-quarantined-files.txt 2010-01-08 21:17
ComboFix2.txt 2009-12-27 22:14

Pre-Run: 32,517,271,552 bytes free
Post-Run: 32,497,868,800 bytes free

- - End Of File - - E684F7D64804D944BF820AE2873872B9

sajeev_p
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-01
OS OS : vista
Points Points : 25891
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System pro

Post by Dr Jay on 9th January 2010, 12:27 am

Yeah, that was fine for ComboFix. I was expecting it to update soon.

How is your computer running now?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Antivirus System pro

Post by sajeev_p on 13th January 2010, 4:16 am

Hi,

The computer seem to be running fine now, but there are multiple folders created on the C: drive, which are related to combofix runs I guess. how do I get rid of them? also is there any other scans I need to run to ensure the computer is clean.

sajeev_p
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-01
OS OS : vista
Points Points : 25891
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus System pro

Post by Dr Jay on 13th January 2010, 4:56 am

To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall



(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Antivirus System pro

Post by sajeev_p on 16th January 2010, 5:32 am

Hi ,

Please find below the log from security check:

Results of screen317's Security Check version 0.99.1
Windows Vista (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee SecurityCenter
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent

``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Also I ran the un install command for combofix. It ran successfuly but the folders created on the root of C: have not been deleted.

following are the folders that are now appearing on the C: root

1. $INPLACE.~TR
2. $WINDOWS.~Q
3. Boot
4. 32788R22FWJFW
5. Commy
6. Commy882c
7. Commy28393c
8. Commy29355c
9. Config.Msi
10. e8535ee0d396b26b8f

Not sure if these folders were created by repeated running of the Combo fix and Gmer or folders created due to the infection.

Dont recollect these folders being present before the antivirus system pro infection.

Also the two folders starting with '$' is not allowing me access(even though I am logged on a s Admin). its directing me to windows access control message.

Please advise if(how) I should get rid of these folders.

thanks...

sajeev_p
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-01
OS OS : vista
Points Points : 25891
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum