 |  |  |  |  |  |  |  |
Fun times with Windows Police Pro.
Thread Solved |
0
#32 Oct 21st, 2009
•
•
•
•
Originally Posted by Asezat 
I can't download MBAM at the moment. I think their server is down :x.
http://majorgeeks.com/Malwarebytes_A...are_d5756.html
0
#33 Oct 21st, 2009
Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
22/10/2009 02:11:36
mbam-log-2009-10-22 (02-11-36).txt
Scan type: Full Scan (C:\|)
Objects scanned: 217424
Time elapsed: 51 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wiplrax.dll -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wiplrax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plugie.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{06D6734F-425A-46B3-BB53-F5B2979A35B7}\RP1\A0001113.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
22/10/2009 02:11:36
mbam-log-2009-10-22 (02-11-36).txt
Scan type: Full Scan (C:\|)
Objects scanned: 217424
Time elapsed: 51 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wiplrax.dll -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wiplrax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plugie.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{06D6734F-425A-46B3-BB53-F5B2979A35B7}\RP1\A0001113.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
Last edited by Asezat; Oct 21st, 2009 at 10:41 pm. Reason: Added the bit about my internet fail.
0
#34 Oct 21st, 2009
•
•
•
•
Originally Posted by Asezat
Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.
See if you can restore internet with the steps at bottom of the Combofix linky:
http://www.bleepingcomputer.com/comb...anual_recovery
There is also info on manually installing recovery console - try that if still no internet.
Let me know if you run into trouble.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#35 Oct 21st, 2009
I tried out the instructions on the combofix tutorial, but they didn't work. Something about "not being able to renew the IP address". I don't think that's anything to do with the malware, but I could be wrong *sigh*.
I also tried to download the recovery console, on this laptop. As it happens, for some reason this damn laptop won't connect to microsoft.com. I can't get on MSN, either. I don't know why it's being like this, but it has been for the past few days, just says it can't find the server.
You ever get that feeling like that somewhere someone is laughing at you? :/
I also tried to download the recovery console, on this laptop. As it happens, for some reason this damn laptop won't connect to microsoft.com. I can't get on MSN, either. I don't know why it's being like this, but it has been for the past few days, just says it can't find the server.
You ever get that feeling like that somewhere someone is laughing at you? :/
0
#36 Oct 22nd, 2009
•
•
•
•
Originally Posted by Asezat
You ever get that feeling like that somewhere someone is laughing at you? :/
Let's do this:
At the command prompt type: netsh int ip reset c:\resetlog.txt ENTER
Then type: netsh winsock reset ENTER
Then, Reboot and see if that works. If so, try combofix and recovery console again.
-- I can't remember if you said you have Windows Disk, but you can install recovery console from that, too.....
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#37 Oct 22nd, 2009
Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:
ComboFix 09-10-21.02 - Greg Rolls 22/10/2009 21:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1728 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome.manifest
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\_cfg.js
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\overlay.xul
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\install.rdf
Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 15:46 . 2009-10-21 15:46 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\Threat Expert
2009-10-21 02:31 . 2009-10-21 02:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-10-15 06:29 . 2009-10-22 01:17 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-21 15:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-22 20:16 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-22 20:12 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-22 19:54 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-21 15:32 . 2005-01-13 15:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 15:26 . 2005-10-03 15:49 -------- d-----w- c:\program files\MAIET
2009-10-21 15:24 . 2005-04-01 19:44 -------- d-----w- c:\program files\Azureus
2009-10-21 15:24 . 2007-11-17 23:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 15:24 . 2005-06-16 19:49 -------- d-----w- c:\program files\Lavasoft
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-21_02.11.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-05-30 00:58 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 380658 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-30 00:58 380658 c:\windows\system32\perfh009.dat
+ 2005-01-13 12:57 . 2009-10-22 01:17 130888 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-02-03 240544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 qqpcv;qqpcv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 21:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qqpcv]
"ImagePath"="\??\c:\windows\system32\01.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-22 21:37
ComboFix-quarantined-files.txt 2009-10-22 20:36
ComboFix2.txt 2009-10-21 02:26
Pre-Run: 10,868,801,536 bytes free
Post-Run: 10,846,228,480 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 67D5989C7922FB0E18F2DD2018539B52
Here's my new combofix log:
ComboFix 09-10-21.02 - Greg Rolls 22/10/2009 21:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1728 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome.manifest
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\_cfg.js
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\overlay.xul
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\install.rdf
Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 15:46 . 2009-10-21 15:46 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\Threat Expert
2009-10-21 02:31 . 2009-10-21 02:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-10-15 06:29 . 2009-10-22 01:17 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-21 15:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-22 20:16 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-22 20:12 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-22 19:54 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-21 15:32 . 2005-01-13 15:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 15:26 . 2005-10-03 15:49 -------- d-----w- c:\program files\MAIET
2009-10-21 15:24 . 2005-04-01 19:44 -------- d-----w- c:\program files\Azureus
2009-10-21 15:24 . 2007-11-17 23:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 15:24 . 2005-06-16 19:49 -------- d-----w- c:\program files\Lavasoft
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-21_02.11.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-05-30 00:58 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 380658 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-30 00:58 380658 c:\windows\system32\perfh009.dat
+ 2005-01-13 12:57 . 2009-10-22 01:17 130888 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-02-03 240544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 qqpcv;qqpcv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 21:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qqpcv]
"ImagePath"="\??\c:\windows\system32\01.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-22 21:37
ComboFix-quarantined-files.txt 2009-10-22 20:36
ComboFix2.txt 2009-10-21 02:26
Pre-Run: 10,868,801,536 bytes free
Post-Run: 10,846,228,480 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 67D5989C7922FB0E18F2DD2018539B52
0
#38 Oct 22nd, 2009
•
•
•
•
Originally Posted by Asezat
Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:
There is still some malware showing that we need to address - I will post something for you as soon as I can - probably won't be for a few hours as I am tied up at the moment.
A few things while I work that up:
-- Keep the ill machine offline
-- Disable SpyBotSD Tea Timer
http://russelltexas.com/malware/teatimer.htm
-- Remove ALL P2P stuff, at least until we are finished. I generally don't lecture about this - If you want more info on the ever increasing danger of P2P, I'll be happy to provide it. I will say that 90% of the machines I see infected with WPP or varaint have multiple P2P apps.....
Uninstall or, at the very least, disable:
Program Files\LimeWire
Program Files\BitTorrent
Program Files\DNA
Program Files\KCeasy
I'll post the next fix as soon as I can.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#39 Oct 22nd, 2009
Ok, I'll clear all that stuff out. I never use any of those programs anymore, excepting BT on rare occasions as it is. I actually know where I got the infection from, and though it was down to my being stupid, in this case it wasn't from P2P.
I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.
I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.
0
#40 Oct 22nd, 2009
•
•
•
•
Originally Posted by Asezat
I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.
Otherwise there is a ton of other things we would need to do regarding your outdated Java and others, Security Programs, that error on boot (BIOS not found - probably your Promise hard drive controller) etc...
A reformat would render all that moot. Let me know & I can help you with that if you need it. Be sure you can find that Windows disk.
Also, you can use imgburn to burn an ISO of SP3 . . .. Guess you'll cross that bridge when you get to it.
OK - back to the problem at hand:
-- c:\program files\Mail.Ru -- You installed and use this? Just checking.
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.
-- Let Combofix run as before and post me that log.
And . . . We'll go from there
PP
Last edited by PhilliePhan; 24 Days Ago at 8:11 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
 |
Similar Threads
- Windows Police Pro - Can't run MalwareBytes (Viruses, Spyware and other Nasties)
- Need Help - Windows Police Pro?? Totally Locked Up. (Viruses, Spyware and other Nasties)
- Windows Police Pro and Desote.exe (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Infected Computer, Please help.
- Next Thread: Control Panel not working
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet censorship commercials conficker connect crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exploit facebook fake gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch pdf phishing police president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted usa virus viruses volume vulnerability war warning windows worm yahoo zero-day zeroday
