GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

AV Security! PLEASE Help!

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Re: AV Security! PLEASE Help!

Post by zabio10 on Fri Jul 02, 2010 8:43 pm

ComboFix 10-07-01.02 - Administrator 07/02/2010 13:27:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.742 [GMT -7:00]
Running from: c:\documents and settings\Administrator.98FE5BE2C6824F7\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\npctbblsc
c:\documents and settings\NetworkService\Local Settings\Application Data\npctbblsc\iotpinwtssd.exe
c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-02 19:27 . 2010-07-02 19:27 -------- d-----w- C:\_OTL
2010-07-02 15:55 . 2010-07-02 15:55 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\Malwarebytes
2010-07-02 15:55 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-02 15:54 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 15:54 . 2010-07-02 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-02 15:54 . 2010-07-02 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 13:39 . 2010-07-02 13:39 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\AVG8
2010-06-29 13:43 . 2010-06-29 13:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-17 13:14 . 2010-06-17 13:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-14 13:04 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\program files\Symantec
2010-07-02 20:20 . 2007-01-29 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-02 20:20 . 2007-01-19 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-30 23:06 . 2007-07-30 21:14 -------- d-----w- c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\U3
2010-05-19 12:17 . 2007-01-19 11:37 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2006-02-28 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-28 02:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-02-28 02:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"BelNotify"="c:\progra~1\Belarc\Advisor\System\NPBelv32.dll" [2006-04-19 951800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2007-1-29 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"BelMonitorService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 FGR Service;FGR Service;c:\program files\1872_Sprint\Fgrd.exe [5/30/2003 2:55 PM 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2010 2:09 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 21:09]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.98FE5BE2C6824F7\Application Data\Mozilla\Firefox\Profiles\4meoxe2d.default\
FF - plugin: c:\documents and settings\Administrator.98FE5BE2C6824F7\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-02 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86CD8EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764cf28
\Driver\ACPI -> ACPI.sys @ 0xf74dfcb8
\Driver\atapi -> atapi.sys @ 0xf7471852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf737dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf738aa21
SendHandler -> NDIS.sys @ 0xf736887b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2983970211-443099682-2871120687-500\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
@SACL=
"Policy"=dword:00000000

[HKEY_USERS\S-1-5-21-2983970211-443099682-2871120687-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,2a,46,e3,c4,2c,a4,42,8a,56,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,2a,46,e3,c4,2c,a4,42,8a,56,1e,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-02 13:42:26
ComboFix-quarantined-files.txt 2010-07-02 20:42

Pre-Run: 58,174,922,752 bytes free
Post-Run: 59,041,116,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 14D65ABF588CBAA43EA5EAF830C8318F

zabio10
Novice
Novice

Status :
Online
Offline

Posts : 49
Joined : 2010-07-02
OS : xp serv pack 3
Points : 24171
# Likes : 0

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by zabio10 on Fri Jul 02, 2010 8:58 pm

is it fixed?

zabio10
Novice
Novice

Status :
Online
Offline

Posts : 49
Joined : 2010-07-02
OS : xp serv pack 3
Points : 24171
# Likes : 0

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by Sneakyone on Fri Jul 02, 2010 9:37 pm

Nope, I see a couple more issues, I will have a fix for you in just a second. Right On!

Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit
Points : 56054
# Likes : 0

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by Sneakyone on Fri Jul 02, 2010 9:42 pm

Hi, Smile

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit
Points : 56054
# Likes : 0

View user profile

Back to top Go down

Re: AV Security! PLEASE Help!

Post by zabio10 on Thu Mar 03, 2011 6:39 pm

SystemLook 04.09.10 by jpshortstuff
Log created at 10:37 on 03/03/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c- 95360 bytes [23:51 01/12/2009] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [20:39 02/07/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [00:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys --a---- 95360 bytes [11:30 19/01/2007] [00:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a---- 95360 bytes [11:30 19/01/2007] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-= EOF =-

zabio10
Novice
Novice

Status :
Online
Offline

Posts : 49
Joined : 2010-07-02
OS : xp serv pack 3
Points : 24171
# Likes : 0

View user profile

Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum