AV Security! PLEASE Help!

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Go down

AV Security! PLEASE Help!

Post by zabio10 on Sat 03 Jul 2010, 4:12 am

First topic message reminder :

I have followed the instructions given, but nothing seems to work to take this thing off my computer. I DO NOT have proxy checked in the advanced tab on my browser. I'm using Firefox and the only way I can run anything is to go into safe mode, which really doesn't help normal mode. I can't open anything security related in normal mode because this AV thing pops up and says it's all infected. Is there anything else I can do?

Zabio

zabio10

Newbie Surfer
Newbie Surfer

Posts : 49
Joined : 2010-07-03
Operating System : xp serv pack 3

View user profile

Back to top Go down


Re: AV Security! PLEASE Help!

Post by zabio10 on Sat 03 Jul 2010, 7:43 am

ComboFix 10-07-01.02 - Administrator 07/02/2010 13:27:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.742 [GMT -7:00]
Running from: c:\documents and settings\Administrator.98FE5BE2C6824F7\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\npctbblsc
c:\documents and settings\NetworkService\Local Settings\Application Data\npctbblsc\iotpinwtssd.exe
c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-02 19:27 . 2010-07-02 19:27 -------- d-----w- C:\_OTL
2010-07-02 15:55 . 2010-07-02 15:55 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\Malwarebytes
2010-07-02 15:55 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-02 15:54 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 15:54 . 2010-07-02 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-02 15:54 . 2010-07-02 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 13:39 . 2010-07-02 13:39 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\AVG8
2010-06-29 13:43 . 2010-06-29 13:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-17 13:14 . 2010-06-17 13:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-14 13:04 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\program files\Symantec
2010-07-02 20:20 . 2007-01-29 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-30 23:06 . 2007-07-30 21:14 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\U3
2010-05-19 12:17 . 2007-01-19 11:37 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2006-02-28 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-28 02:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 02:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"BelNotify"="c:\progra~1\Belarc\Advisor\System\NPBelv32.dll" [2006-04-19 951800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2007-1-29 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"BelMonitorService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 FGR Service;FGR Service;c:\program files\1872_Sprint\Fgrd.exe [5/30/2003 2:55 PM 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2010 2:09 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 21:09]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\Mozilla\Firefox\Profiles\4meoxe2d.default\
FF - plugin: c:\documents and settings\Administrator.98FE5BE2C6824F7\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-02 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86CD8EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764cf28
\Driver\ACPI -> ACPI.sys @ 0xf74dfcb8
\Driver\atapi -> atapi.sys @ 0xf7471852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf737dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf738aa21
SendHandler -> NDIS.sys @ 0xf736887b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2983970211-443099682-2871120687-500\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000

[HKEY_USERS\S-1-5-21-2983970211-443099682-2871120687-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,2a,46,e3,c4,2c,a4,42,8a,56,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,2a,46,e3,c4,2c,a4,42,8a,56,1e,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-02 13:42:26
ComboFix-quarantined-files.txt 2010-07-02 20:42

Pre-Run: 58,174,922,752 bytes free
Post-Run: 59,041,116,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 14D65ABF588CBAA43EA5EAF830C8318F

zabio10

Newbie Surfer
Newbie Surfer

Posts : 49
Joined : 2010-07-03
Operating System : xp serv pack 3

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by zabio10 on Sat 03 Jul 2010, 7:58 am

is it fixed?

zabio10

Newbie Surfer
Newbie Surfer

Posts : 49
Joined : 2010-07-03
Operating System : xp serv pack 3

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by Sneakyone on Sat 03 Jul 2010, 8:37 am

Nope, I see a couple more issues, I will have a fix for you in just a second.

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: AV Security! PLEASE Help!

Post by Sneakyone on Sat 03 Jul 2010, 8:42 am

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: AV Security! PLEASE Help!

Post by zabio10 on Fri 04 Mar 2011, 5:39 am

SystemLook 04.09.10 by jpshortstuff
Log created at 10:37 on 03/03/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c- 95360 bytes [23:51 01/12/2009] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [20:39 02/07/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [00:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys --a---- 95360 bytes [11:30 19/01/2007] [00:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a---- 95360 bytes [11:30 19/01/2007] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-= EOF =-

zabio10

Newbie Surfer
Newbie Surfer

Posts : 49
Joined : 2010-07-03
Operating System : xp serv pack 3

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by Sponsored content Today at 11:05 am


Sponsored content


Back to top Go down

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum