Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE move this, I can't access the HJT/Malware forum! HELP!


  • This topic is locked This topic is locked
24 replies to this topic

#1 KarenRose

KarenRose

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 06 January 2009 - 05:14 PM

I've used SpyBot S&D to remove "Antivirus 360" and "Security Center" but I still have my browsers hijacked & MBAM and HJT are shut down immediately everytime I attempt to open or install a new copy. If I try to access almost any webpage containing HJT or Malware, IE7 auomatically shuts down (including alot of the instruction pages @ BC, and the programs' websites). :thumbsup:

Likewise, everytime I try to open the HijackThis Logs and Malware Removal forum, IE (Safari, too) shuts down GRRRRR

So, I'm posting my DDS log here, hopefully someone can move it to the proper forum, with a note saying to PM me the info since I cannot access the forum at all!!


DDS HJT log:

DDS (Version 1.1.0) - NTFSx86
Run by thomas c at 15:05:45.60 on Tue 01/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.471 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Program Files\SlimServer\server\slim.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\thomas canale\Local Settings\Temporary Internet Files\Content.IE5\X6QE8KYD\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
BHO: AutorunsDisabled - No File
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DellSupport] "c:\progra~1\dellsu~1\DSAgnt.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [359F5809-00B8-4455-A73A-9EA62A51101B] "c:\documents and settings\all users\application data\58DF9FC1.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\thomas canale\start menu\programs\accessories\startup\.security
StartupFolder: c:\docume~1\thomas~1\startm~1\programs\access~1\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\thomas~1\startm~1\programs\access~1\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\slimse~1.lnk - c:\program files\slimserver\SlimTray.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
Notify: bbfbafdbccebded - c:\windows\system32\bbfbafdbccebded.dll
SSODL: shellservice - {8FB2D6CA-E258-48CF-9DAB-EEFB735E225C} - c:\windows\system32\config\atww\ShellService.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas~1\applic~1\mozilla\firefox\profiles\3e122yvw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\mozilla firefox\components\acabfedadcbb.dll
FF - component: c:\program files\mozilla firefox\components\ffe.dll

============= SERVICES / DRIVERS ===============

R4 filesvc;filesvc;c:\windows\system32\config\atww\filesvc.sys [2007-1-23 9216]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 procdrv;procdrv;c:\windows\system32\config\atww\procdrv.sys [2007-1-23 6144]
R4 regfil;regfil;c:\windows\system32\config\atww\regfil.sys [2007-1-23 7552]
R4 SlimServerMySQL;SlimServerMySQL;c:\progra~1\slimse~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~1\slimse~1\server\cache\my.cnf slimservermysql --> c:\progra~1\slimse~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~1\slimse~1\server\cache\my.cnf SlimServerMySQL [?]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-2-18 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-22 290889]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-2-18 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-4-25 262215]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-9 38496]
S4 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-23 43024]
S4 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-23 77104]
S4 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-23 60816]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-5 835208]

=============== Created Last 30 ================

2008-12-29 23:25 <DIR> --d----- C:\GTL
2008-12-29 21:50 <DIR> --d----- C:\GTR2
2008-12-13 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-27 23:27 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-09 09:53 77,824 a------- c:\windows\zipexe_r.exe
2008-10-09 09:07 65,428 a------- c:\windows\system32\aaaakjluwini104552502.jpg33.exe
2007-08-19 19:06 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-09 17:57 32 a----r-- c:\documents and settings\all users\hash.dat
2006-09-29 05:56 18,221 a------- c:\docume~1\thomas~1\applic~1\FNTCACHE.BIN
2006-09-29 05:49 3,514 a------- c:\docume~1\thomas~1\applic~1\perfc012.dat
2008-03-25 12:44 88 ---shr-- c:\windows\system32\890CC586E0.sys
2008-10-01 06:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 15:06:38.79 ===============



THANK YOU!!!

Edited by KarenRose, 06 January 2009 - 05:14 PM.

:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 13 January 2009 - 05:48 PM

Hello.

Seems you have a badly infected machine. Since you probably can't access the net using your infected machine, please use your clean machine to download Combofix and Microsoft's package to install the Recovery Console if you haven't already and run Combofix. Instructions can be found below.

Download and Run ComboFix

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

Post back with:
-Combofix log
-DDS/hijackthis log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 14 January 2009 - 12:15 PM

OK, so today web pages were being re-directed, so I tried to run Spybot S&D to see if there was a new problem, and it wouldn't start. So I rebooted, but only got the desktop photo. So I reboot in safe-mode, but I just get the black screen that says safe-mode in corners and "microsoft ® Windows XP..." on top, Have a cursor & running CF now

(sorry for rambling, but at this point I'm not sure what's important and whats not!)

Edited by KarenRose, 14 January 2009 - 01:03 PM.

:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 14 January 2009 - 01:07 PM

Hello.

I just saw you edit your post.. Also why are you running Combofix in Safe Mode? Anyways, since you are already running Combofix, just let it run.. Once it's finished post back with the logs I requested.

I need to leave now, get back to you once I come back

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 14 January 2009 - 02:58 PM

Safe-mode was only to try and get the start menu to show up! :thumbsup: ... The icons & start menu came back spontaneously after running CF.
Also, CF told me to copy the folowing & then rebooted itself, dunno know if you need it:

c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSShrsr.dll
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSrhyp.log



CF LOG:

ComboFix 09-01-13.04 - thomas cana 2009-01-14 14:18:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.617 [GMT -5:00]
Running from: F:\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 13:10 . 2009-01-14 13:10 <DIR> d-------- C:\New Folder
2009-01-12 16:22 . 2009-01-14 13:28 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-09 15:19 . 2009-01-13 23:43 869 --a------ c:\windows\CoDUO.INI
2009-01-07 19:59 . 2009-01-14 00:21 <DIR> d-------- c:\program files\Call of Duty Game of the Year Edition
2009-01-07 19:57 . 2009-01-11 00:29 766 --a------ c:\windows\CoD.INI
2009-01-05 16:40 . 2009-01-05 16:40 4,096 --ahs---- c:\documents and settings\Thumbs.db
2009-01-05 16:34 . 2009-01-05 16:34 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-12-29 23:25 . 2008-12-29 23:31 <DIR> d-------- C:\GTL
2008-12-29 21:50 . 2008-12-29 21:57 <DIR> d-------- C:\GTR2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 17:05 --------- d-----w c:\program files\Ma
2009-01-06 15:11 --------- d-----w c:\program files\Google
2009-01-06 04:20 --------- d--h--w c:\documents and settings\thomas canale\Application Data\Move Networks
2009-01-05 21:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 04:27 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-15 22:05 --------- d-----w c:\documents and settings\thomas canale\Application Data\U3
2008-12-14 02:42 --------- d-----w c:\program files\iTunes
2008-12-14 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 02:41 --------- d-----w c:\program files\iPod
2008-12-14 02:38 --------- d-----w c:\program files\QuickTime
2008-12-14 02:37 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 02:29 --------- d-----w c:\program files\Safari
2008-12-11 20:34 --------- d-----w c:\program files\Dell AIO Printer A940
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 02:44 --------- d-----w c:\documents and settings\thomas canale\Application Data\Apple Computer
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-26 22:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 22:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 22:39 1,195,384 ----a-w c:\windows\system32\drivers\VsapiNT.sys
2008-11-22 20:00 --------- d-----w c:\program files\Netflix
2008-11-18 05:21 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-16 17:37 --------- d-----w c:\documents and settings\thomas canale\Application Data\OpenOffice.org2
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2007-08-20 00:06 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-12-09 22:57 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-09-29 10:56 18,221 ----a-w c:\documents and settings\thomas canale\Application Data\FNTCACHE.BIN
2006-09-29 10:49 3,514 ----a-w c:\documents and settings\thomas canale\Application Data\perfc012.dat
2009-01-05 16:22 66,576 ----a-w c:\program files\mozilla firefox\components\acabfedadcbb.dll
2006-12-28 21:17 270,455 ----a-w c:\program files\mozilla firefox\components\ffe.dll
2008-03-25 17:44 88 --sh--r c:\windows\system32\890CC586E0.sys
2008-10-01 11:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 823362]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"359F5809-00B8-4455-A73A-9EA62A51101B"="c:\documents and settings\All Users\Application Data\58DF9FC1.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\thomas canale\Start Menu\Programs\Accessories\Startup\
.security [2008-10-08 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-13 24576]
SlimServer Tray Tool.lnk - c:\program files\SlimServer\SlimTray.exe [2007-05-28 3387461]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA Games\\Need For Speed Hot Pursuit 2\\NFSHP2.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"47611:TCP"= 47611:TCP:*:Disabled:null
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp
"56974:TCP"= 56974:TCP:PandoRest Listening Port

R4 filesvc;filesvc;c:\windows\system32\config\atww\filesvc.sys [2007-01-23 9216]
R4 procdrv;procdrv;c:\windows\system32\config\atww\procdrv.sys [2007-01-23 6144]
R4 regfil;regfil;c:\windows\system32\config\atww\regfil.sys [2007-01-23 7552]
R4 SlimServerMySQL;SlimServerMySQL;c:\progra~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\progra~1\SLIMSE~1\server\Cache\my.cnf SlimServerMySQL --> c:\progra~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\progra~1\SLIMSE~1\server\Cache\my.cnf SlimServerMySQL [?]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-02-18 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-22 290889]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-02-18 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-09 38496]
S4 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-04-23 43024]
S4 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-04-23 77104]
S4 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-04-23 60816]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [2008-08-05 835208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-bbfbafdbccebded - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\thomas canale\Application Data\Mozilla\Firefox\Profiles\3e122yvw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\Mozilla Firefox\components\acabfedadcbb.dll
FF - component: c:\program files\Mozilla Firefox\components\ffe.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 14:28:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\102df52fcdb0a6efabecc028095662a1.sys 39936 bytes executable
c:\windows\system32\_102df52fcdb0a6efabecc028095662a1.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\102df52fcdb0a6efabecc028095662a1]
"ImagePath"="system32\102df52fcdb0a6efabecc028095662a1.sys"
.
Completion time: 2009-01-14 14:32:06
ComboFix-quarantined-files.txt 2009-01-14 19:31:09
ComboFix2.txt 2009-01-14 18:43:54

Pre-Run: 189,443,772,416 bytes free
Post-Run: 189,426,552,832 bytes free

180 --- E O F --- 2009-01-14 16:27:48





DDS LOG

DDS (Ver_09-01-07.01) - NTFSx86
Run by thomas cana at 14:42:19.34 on Wed 01/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.427 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Program Files\SlimServer\server\slim.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [359F5809-00B8-4455-A73A-9EA62A51101B] "c:\documents and settings\all users\application data\58DF9FC1.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\thomas canale\start menu\programs\accessories\startup\.security
StartupFolder: c:\docume~1\thomas~1\startm~1\programs\access~1\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\thomas~1\startm~1\programs\access~1\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\slimse~1.lnk - c:\program files\slimserver\SlimTray.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
SSODL: shellservice - {8FB2D6CA-E258-48CF-9DAB-EEFB735E225C} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas~1\applic~1\mozilla\firefox\profiles\3e122yvw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\mozilla firefox\components\acabfedadcbb.dll
FF - component: c:\program files\mozilla firefox\components\ffe.dll

============= SERVICES / DRIVERS ===============

R4 filesvc;filesvc;c:\windows\system32\config\atww\filesvc.sys [2007-1-23 9216]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 procdrv;procdrv;c:\windows\system32\config\atww\procdrv.sys [2007-1-23 6144]
R4 regfil;regfil;c:\windows\system32\config\atww\regfil.sys [2007-1-23 7552]
R4 SlimServerMySQL;SlimServerMySQL;c:\progra~1\slimse~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~1\slimse~1\server\cache\my.cnf slimservermysql --> c:\progra~1\slimse~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~1\slimse~1\server\cache\my.cnf SlimServerMySQL [?]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-2-18 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-22 290889]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-2-18 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-4-25 262215]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-9 38496]
S4 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-4-23 43024]
S4 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-4-23 77104]
S4 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-4-23 60816]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-5 835208]

=============== Created Last 30 ================

2009-01-14 13:10 <DIR> --d----- C:\New Folder
2009-01-14 13:05 <DIR> --d----- C:\cmdcons
2009-01-14 12:56 161,792 a------- c:\windows\SWREG.exe
2009-01-14 12:56 98,816 a------- c:\windows\sed.exe
2009-01-12 16:22 <DIR> --dsh--- c:\windows\system32\twain32
2009-01-09 15:19 869 a------- c:\windows\CoDUO.INI
2009-01-07 19:59 <DIR> --d----- c:\program files\Call of Duty Game of the Year Edition
2009-01-07 19:57 766 a------- c:\windows\CoD.INI
2008-12-29 23:25 <DIR> --d----- C:\GTL
2008-12-29 21:50 <DIR> --d----- C:\GTR2

==================== Find3M ====================

2008-12-27 23:27 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-26 17:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 17:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 17:39 1,195,384 a------- c:\windows\system32\drivers\VsapiNT.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-08-19 19:06 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-09 17:57 32 a----r-- c:\documents and settings\all users\hash.dat
2006-09-29 05:56 18,221 a------- c:\docume~1\thomas~1\applic~1\FNTCACHE.BIN
2006-09-29 05:49 3,514 a------- c:\docume~1\thomas~1\applic~1\perfc012.dat
2008-03-25 12:44 88 ---shr-- c:\windows\system32\890CC586E0.sys
2008-10-01 06:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 14:42:40.68 ===============





THANK YOU SO MUCH FOR YOUR HELP & EXPERTISE!!

:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 14 January 2009 - 03:30 PM

Hello.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: TDSS[random characters.***] is related to a nasty variant of the TDSSSERV rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy anymore. If you wish to proceed, please follow my instructions below.

Safe-mode was only to try and get the start menu to show up!

Next time if things like this happen, you could tell me and there will be alternatives for running Combofix even if your start menu doesn't appear :thumbsup:

Also, CF told me to copy the folowing & then rebooted itself, dunno know if you need it:

Thanks. Good job on listening to the instructions. :)

One question for you did you run Combofix twice? It seems you did, please navigate to the folder C:\Qoobox.
In that folder there should be a text file called "ComboFix2.txt". I would like to see that. Also in addition to everything I would like to see a GMER scan to scan for rootkits..

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix2.txt
-GMER log


With Regards,
Extremeboy

Edited by extremeboy, 14 January 2009 - 03:31 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 14 January 2009 - 04:43 PM

Yeah, 1st time I ran CF, someone didnt listen & used the comp. while I stepped out,, I'll ask and I didn't see they saved the log it created so I did it again ;)
I'll look for installation disks to see if I can re-install, but I don't think it came with any (it's my best friend's computer)

ComboFix2.txt

ComboFix 09-01-13.04 - thomas cana 2009-01-14 13:18:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.480 [GMT -5:00]
Running from: F:\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\thomas canale\Start Menu\Programs\System Security
c:\documents and settings\thomas canale\Start Menu\Programs\System Security\System Security.lnk
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\content\options.js
c:\program files\SelectRebates\FFToolbar\chrome\content\options.xul
c:\program files\SelectRebates\FFToolbar\chrome\content\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\chrome\content\sahtoolbar.xul
c:\program files\SelectRebates\FFToolbar\chrome\locale\en-US\contents.rdf
c:\program files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.dtd
c:\program files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.dtd.skin
c:\program files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.properties
c:\program files\SelectRebates\FFToolbar\chrome\skin\3rdParty.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\add-folderplus.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\add-plussign.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\alert-blue.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\alert-red.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\bluebar.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\dollarsign.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\FindWords.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\gripper.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\icon-magnifying.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\invite.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\invite2.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\my-blue.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\my-gray.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\my-green.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\my-red.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\Options.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\S.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\SAH-LogoHotSpots.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\SAH-logotext.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\SAH-mainlogo-v1.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\SAH-mainlogo-v2.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\sahtoolbar.css
c:\program files\SelectRebates\FFToolbar\chrome\skin\Scissors.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\Search.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\shoppingcart.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\singleperson.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\star.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\thumb2.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\Thumbs.db
c:\program files\SelectRebates\FFToolbar\chrome\skin\toolbar-images-ALL.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\Toolbar_HelpAndFeedback.png
c:\program files\SelectRebates\FFToolbar\chrome\skin\Wrench.png
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\bg-gradient.gif
c:\program files\SelectRebates\SahImages\button-close.gif
c:\program files\SelectRebates\SahImages\button-finish.gif
c:\program files\SelectRebates\SahImages\icon-desktop.gif
c:\program files\SelectRebates\SahImages\sah-logopop.gif
c:\program files\SelectRebates\SahImages\sah-logopoplg.gif
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.dll
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\Toolbar\Add.bmp
c:\program files\SelectRebates\Toolbar\AdvancedOptions.html
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\button-CloseWindow.gif
c:\program files\SelectRebates\Toolbar\i_clipboard.bmp
c:\program files\SelectRebates\Toolbar\i_help.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\Invite.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\MyNew.bmp
c:\program files\SelectRebates\Toolbar\MyNone.bmp
c:\program files\SelectRebates\Toolbar\MyPage.bmp
c:\program files\SelectRebates\Toolbar\Rate.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sah_logo_bars.gif
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
c:\program files\SelectRebates\Toolbar\Tools.bmp
c:\program files\SelectRebates\Toolbar\Tools2.bmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\bbfbafdbccebded.dll
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\TDSShrsr.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\twex.exe
F:\autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 13:10 . 2009-01-14 13:10 <DIR> d-------- C:\New Folder
2009-01-12 16:22 . 2009-01-14 13:28 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-09 15:19 . 2009-01-13 23:43 869 --a------ c:\windows\CoDUO.INI
2009-01-07 19:59 . 2009-01-14 00:21 <DIR> d-------- c:\program files\Call of Duty Game of the Year Edition
2009-01-07 19:57 . 2009-01-11 00:29 766 --a------ c:\windows\CoD.INI
2009-01-05 16:40 . 2009-01-05 16:40 4,096 --ahs---- c:\documents and settings\Thumbs.db
2009-01-05 16:34 . 2009-01-05 16:34 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-12-29 23:25 . 2008-12-29 23:31 <DIR> d-------- C:\GTL
2008-12-29 21:50 . 2008-12-29 21:57 <DIR> d-------- C:\GTR2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 17:05 --------- d-----w c:\program files\Ma
2009-01-06 15:11 --------- d-----w c:\program files\Google
2009-01-06 04:20 --------- d--h--w c:\documents and settings\thomas canale\Application Data\Move Networks
2009-01-05 21:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-15 22:05 --------- d-----w c:\documents and settings\thomas canale\Application Data\U3
2008-12-14 02:42 --------- d-----w c:\program files\iTunes
2008-12-14 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-14 02:41 --------- d-----w c:\program files\iPod
2008-12-14 02:38 --------- d-----w c:\program files\QuickTime
2008-12-14 02:37 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 02:29 --------- d-----w c:\program files\Safari
2008-12-11 20:34 --------- d-----w c:\program files\Dell AIO Printer A940
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 02:44 --------- d-----w c:\documents and settings\thomas canale\Application Data\Apple Computer
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-22 20:00 --------- d-----w c:\program files\Netflix
2008-11-18 05:21 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-16 17:37 --------- d-----w c:\documents and settings\thomas canale\Application Data\OpenOffice.org2
2007-08-20 00:06 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-12-09 22:57 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-09-29 10:56 18,221 ----a-w c:\documents and settings\thomas canale\Application Data\FNTCACHE.BIN
2006-09-29 10:49 3,514 ----a-w c:\documents and settings\thomas canale\Application Data\perfc012.dat
2009-01-05 16:22 66,576 ----a-w c:\program files\mozilla firefox\components\acabfedadcbb.dll
2006-12-28 21:17 270,455 ----a-w c:\program files\mozilla firefox\components\ffe.dll
2008-03-25 17:44 88 --sh--r c:\windows\system32\890CC586E0.sys
2008-10-01 11:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 823362]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\thomas canale\Start Menu\Programs\Accessories\Startup\
.security [2008-10-08 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-13 24576]
SlimServer Tray Tool.lnk - c:\program files\SlimServer\SlimTray.exe [2007-05-28 3387461]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA Games\\Need For Speed Hot Pursuit 2\\NFSHP2.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"47611:TCP"= 47611:TCP:*:Disabled:null
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp
"56974:TCP"= 56974:TCP:PandoRest Listening Port

R4 filesvc;filesvc;c:\windows\system32\config\atww\filesvc.sys [2007-01-23 9216]
R4 procdrv;procdrv;c:\windows\system32\config\atww\procdrv.sys [2007-01-23 6144]
R4 regfil;regfil;c:\windows\system32\config\atww\regfil.sys [2007-01-23 7552]
R4 SlimServerMySQL;SlimServerMySQL;c:\progra~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\progra~1\SLIMSE~1\server\Cache\my.cnf SlimServerMySQL --> c:\progra~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\progra~1\SLIMSE~1\server\Cache\my.cnf SlimServerMySQL [?]
R4 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-02-18 205328]
R4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-22 290889]
R4 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-02-18 36368]
R4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-09 38496]
S4 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2007-04-23 43024]
S4 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-04-23 77104]
S4 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-04-23 60816]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [2008-08-05 835208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-359F5809-00B8-4455-A73A-9EA62A51101B - c:\documents and settings\All Users\Application Data\58DF9FC1.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\thomas canale\Application Data\Mozilla\Firefox\Profiles\3e122yvw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\Mozilla Firefox\components\acabfedadcbb.dll
FF - component: c:\program files\Mozilla Firefox\components\ffe.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 13:30:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\102df52fcdb0a6efabecc028095662a1.sys 39936 bytes executable
c:\windows\system32\_102df52fcdb0a6efabecc028095662a1.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\102df52fcdb0a6efabecc028095662a1]
"ImagePath"="system32\102df52fcdb0a6efabecc028095662a1.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
c:\program files\SlimServer\server\slim.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dwwin.exe
c:\progra~1\TRENDM~1\INTERN~1\pcclient.exe
c:\progra~1\TRENDM~1\INTERN~1\Temp\aubin\patch.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
.
**************************************************************************
.
Completion time: 2009-01-14 13:43:52 - machine was rebooted [thomas canale]
ComboFix-quarantined-files.txt 2009-01-14 18:43:49

Pre-Run: 189,029,105,664 bytes free
Post-Run: 189,398,835,200 bytes free

295 --- E O F --- 2009-01-14 16:27:48




GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-14 16:30:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\config\atww\regfil.sys ZwEnumerateKey [0xB2C02EFE]
SSDT \??\C:\WINDOWS\system32\config\atww\regfil.sys ZwEnumerateValueKey [0xB2C030CC]
SSDT \??\C:\WINDOWS\system32\config\atww\regfil.sys ZwQueryKey [0xB2C02E92]
SSDT \??\C:\WINDOWS\system32\config\atww\regfil.sys ZwQueryValueKey [0xB2C031FC]

Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) ZwCreateKey [0xF7565C8E]
Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF7565D13]
Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) ZwOpenKey [0xF7565C10]
Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF7565999]
Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) IoCreateFile
Code 102df52fcdb0a6efabecc028095662a1.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!NtCreateSection + 3 805AB3B1 4 Bytes [ 6A, 70, CC, CC ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\iastor \Device\Ide\iaStor0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000073 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000078 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\USBSTOR \Device\0000007d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\0000007e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\102df52fcdb0a6efabecc028095662a1.sys (*** hidden *** ) [BOOT] 102df52fcdb0a6efabecc028095662a1 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=102df52fcdb0a6efabecc028095662a1&path=system32\102df52fcdb0a6efabecc028095662a1.sys&wmid=Dkx002&idate=2009-01-05 11:21:29:671&last_download_time=2009-1-5 11:24:29.890&first_skip=1
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@Tag 6
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@ImagePath system32\102df52fcdb0a6efabecc028095662a1.sys
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@DisplayName 102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1\Security
Reg HKLM\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhlt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlrvd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrsr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSrtqp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhyp.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkbi.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=102df52fcdb0a6efabecc028095662a1&path=system32\102df52fcdb0a6efabecc028095662a1.sys&wmid=Dkx002&idate=2009-01-05 11:21:29:671&last_download_time=2009-1-5 11:24:29.890&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@Tag 6
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@ImagePath system32\102df52fcdb0a6efabecc028095662a1.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@DisplayName 102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\102df52fcdb0a6efabecc028095662a1&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=102df52fcdb0a6efabecc028095662a1&path=system32\102df52fcdb0a6efabecc028095662a1.sys&wmid=Dkx002&idate=2009-01-05 11:21:29:671&last_download_time=2009-1-5 11:24:29.890&first_skip=1
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@Tag 6
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@ImagePath system32\102df52fcdb0a6efabecc028095662a1.sys
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@DisplayName 102df52fcdb0a6efabecc028095662a1
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1\Security
Reg HKLM\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\102df52fcdb0a6efabecc028095662a1.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\_102df52fcdb0a6efabecc028095662a1.sys_.vir 39936 bytes executable

---- EOF - GMER 1.0.14 ----
:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 14 January 2009 - 04:48 PM

Hello.

I am reviewing your logs right now, give me a while before posting in the instructions for the next step. One note, next time when you run Combofix please make sure it's on your desktop please. I see you ran Combofix F:\Combo-Fix.exe

I believe F:\ is your flash-drive or something? Please copy and paste Combo-fix to your Desktop and when I tell you to run Combofix please run it from your desktop.

Right now, please be patient while I go through your logs and refrain from changing anything including running any scanners etc..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 14 January 2009 - 05:16 PM

Hello.

Lots of stuff to get rid of in this post..

Before you edited you last post, you said you had some difficulties disabling Trend Micro as even if you disabled it, it was still active I believe? We will just use Combofix to stop those processes.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    KillAll::
    
    Extra::
    
    Dirlook::
    c:\windows\system32\twain32
    Driver::
    102df52fcdb0a6efabecc028095662a1 
    File::
    c:\windows\system32\890CC586E0.sys
    c:\program files\Mozilla Firefox\components\acabfedadcbb.dll
    c:\program files\Mozilla Firefox\components\ffe.dll
    Rootkit::
    c:\windows\system32\102df52fcdb0a6efabecc028095662a1.sys 
    c:\windows\system32\_102df52fcdb0a6efabecc028095662a1.sys_.vir
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\102df52fcdb0a6efabecc028095662a1]
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\102df52fcdb0a6efabecc028095662a1]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\102df52fcdb0a6efabecc028095662a1]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys] 
    Firefox::
    FF - ProfilePath - c:\documents and settings\thomas canale\Application Data\Mozilla\Firefox\Profiles\3e122yvw.default\
    FF - component: c:\program files\Mozilla Firefox\components\acabfedadcbb.dll
    FF - component: c:\program files\Mozilla Firefox\components\ffe.dll
    DDS::
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - 
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} -
    SSODL: shellservice - {8FB2D6CA-E258-48CF-9DAB-EEFB735E225C} -
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
Make sure Combofix.exe this time is at your desktop before dragging the CFScript.txt on to Combo-fix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-MBAM log
-New GMER log
-New DDS/hijackthis log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 15 January 2009 - 12:35 PM

OK, first of all, couldn't open MalWareBytes or spybot s&d to disable them, so I uninstalled them, then realized that might screw you up, I hope not! (Sorry, just used to figuring these things out on my own, so sometimes I do stuff first, then think about it :thumbsup: Sorry!!!)


I'm proceeding with the rest now....
:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 15 January 2009 - 03:41 PM

Hello again.

From your PM you said you have a problem now..: "Now I get the black "We apologize for the inconvenience..." safe-mode/normal/last known good configuration choice page. When I start with Normal start-up, I get the Windows XP screen for a few seconds, then NOTHING. Just black-hole emptiness."

Next time, please do not uninstall or remove things. If you do have any problems please ASK before continuing. Thanks.

I would try to Boot into the Last Known Good Configuration method. I believe you know how to do this? If not please refer to the Microsoft Article below:
http://support.microsoft.com/kb/307852

Also, you said you didn't want to format/reinstall because it didn't come with a XP cd which is your friends computer. See if your friend or someone has one, we may need it later if your computer still doesn't boot up.. If you don't then just tell me, we will still have alternative methods to get it working if it still doesn't work..

If the Last Known Good Configuration doesn't work see if you can boot into Safe Mode

Tell me how it goes. If successful, please post back with the logs.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 15 January 2009 - 04:05 PM

Yeah, like I said, I did it without thinking :thumbsup: OK, now it's not booting up at all, not even in safe mode! Anything else to do?

Edited by KarenRose, 15 January 2009 - 04:05 PM.

:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 15 January 2009 - 04:11 PM

Yeah, like I said, I did it without thinking :thumbsup: OK, now it's not booting up at all, not even in safe mode! Anything else to do?

Not booting up at all!? Does this mean you can't even turn on your machine and get past the BIOS anymore? I hope that's not what you ment.

EDIT: One question, were you able to run Combofix fine though? If so, we may be able to do a ERUNT restore and see if that works. Also when you said not booting anymore what happens? Do you get any error or messages?

With Regards,
Extremeboy

Edited by extremeboy, 15 January 2009 - 04:18 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 KarenRose

KarenRose
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Babylon, NY
  • Local time:01:43 AM

Posted 15 January 2009 - 04:17 PM

Sorry... just so frustrated cant event think straight! I still get up to the screen where you can pick "normal/safe/last known...."
:::::::::I LOVE MY MAC!::::::::::
Now if only all my friends had macs...... GRRRRR!!!

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 15 January 2009 - 04:25 PM

Hello.

Okay, I edited my post could you answer this question:

EDIT: One question, were you able to run Combofix fine though? If so, we may be able to do a ERUNT restore and see if that works. Also when you said not booting anymore what happens? Do you get any error or messages?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users