Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

severely infected


  • This topic is locked This topic is locked
40 replies to this topic

#1 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 29 January 2009 - 09:58 AM

I am helping a friend with this computer and have gotten rid of many nasties. Here is my hjt log. Can someone please look it over and advise me what to do? Thank you in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:03 AM, on 1/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7070
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\smss\smss.exe (file missing)

--
End of file - 8638 bytes

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 31 January 2009 - 07:05 PM

can no one help me here? please let me know

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 07 February 2009 - 02:38 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#4 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 07 February 2009 - 08:12 PM

hi PP and thank you for the help

i could not get combofix to run it said i have to have administrative rights to run it ( but i am logged on as the admin)
maybe run it in safe mode?

i did get the gmer to run and here is that log.

as far as programs installed they had no firewal so i installed comodo
they had Norton for antivirus (which didnt work)
i installed superantispyware
i installed malwarebytes (which i finally got to update after several scans)
and firefox for a browser (because IE was corrupt and i just plain dont like I,E for a browser)

anyway here is the log


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-07 17:02:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF28F5906]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF28F4E66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF28F54C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF28F60D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF28F4BC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF28F6DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF28F5AEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xF28F4796]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF28F5D3A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF28F5EEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF28F44F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF28F6A42]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF28F50AC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF28F56FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF28F4228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF28F533C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF28F43A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF28F6496]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF28F4CDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF28F67FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF28F6BF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF28F6296]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF28F5046]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF28F5230]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF27B6F20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF28F4958]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F71DB950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F71DB990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F71DB710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F71DB770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1704] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdhlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\cmdhlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdhlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdhlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdhlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\guard32.dll,C:\WINDOWS\system32\cssdll32.dll,avgrsstx.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x1749ddc1 size 0x1b5
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.14 ----

File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe 1536 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe.info 126 bytes

---- EOF - GMER 1.0.14 ----

i am able to get online now with this PC but when they brought it to me i could not and barely was able to get ANY antimalware or antivirus to load let alon run


thank you again for the hell PP

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 07 February 2009 - 08:21 PM

Hello D_N_M.

There is something really nasty in that computer. Perhaps even an MBR rootkit.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.
----
Please rename ComboFix.exe to ComboFixabc.exe and try running it again.

Download and Run MBR
Please download MBR.exe to your desktop.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    mbr.exe -b 0x1749ddc1 0x1b5 CopyOfMbr.txt
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input test.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click test.bat. A command prompt window will open and close. A file named CopyOfMbr.txt will be created on your desktop. Upload that file to me.
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/198997/severely-infected/
  • Select the CopyOfMbr.txt on your desktop.
  • Under the comments section, say that Panda asked for the submission.


With Regards,
The Panda

#6 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 07 February 2009 - 09:04 PM

Hello PP

the error returned for the combofix was 32788R22FWJFW\hidec.exe
windows cannot access the specified device,path,or file. you may not have the appropriate permissions to access them.

if thats any help to you
as far as the banking i'm not real concerned about that it's a kids computer they dont do any online banking with this and as far as the reformat lol they dont have a cd for it (bummer)
they do ALOT of downloading from Limewire which is where i suspect most of this crap came from
I have warned them before of P2P file sharing but there kids they wont listen to me :thumbup2:

Thank again

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 11:47 AM

Hello.

In that case, please go ahead with running MBR.exe and uploading the sample to me.

Instead of running ComboFix, run OTScanIt.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Change the Rootkit Scan option from "No" to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

With Regards,
The Panda

#8 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 12:18 PM

OTScanIt.Txt (120.14k)

i hope i did this right with the attachment
if not please advise
and i did send send you a sample but i guess it didnt go through
here it is again

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1749ddc1 size 0x1b5 !
copy of MBR has been found in sector 62 !
thanks again PP

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 12:41 PM

Hello.

I was refering to the copy of the MBR that should have been produced. Create the .bat file per the directions in my previous post. Run it. Send the CopyOfMbr.txt, not the mbr.log
--
Was ComboFix able to install the Recovery Console? Otherwise, do you have your Windows XP CD? We may need it to fix the MBR.

With Regards,
The Panda

#10 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 04:57 PM

Hello PP i did make the bat file and i did run it but no log on desktop or anywhere else in my pc i did a "search" and nothing was found. the command prompt opened and closed and then nothing i have done this 2 X's now and no log? as far as combofix i didnt get past the "bar" loading and got the error as previously mentioned. and they dont have a cd to recover from. something is up with combofix i dnt understand it not installing i will try to keep getting it to run untill i hear back from you.

did you get the OTScaniT log ? i do have that log still in the folder and i tried to send it but not sure if you got it?

thanks again

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 05:04 PM

Hello.

That's no problem. I got the OTScanIt.

If you have a blank CD..

Create Recovery Console Disk
We will use the Windows Recovery Console to try to restore your machine.

Please download the RC.iso image file to your working computer's desktop.

Burn the image onto a CD. If you do not have CD burning software, you can use ImgBurn.
--
Place the recovery console CD into the drive of the infected machine. Reboot into the recovery console.
Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
Type without quotes "fixmbr" followed by Enter.
Type without quotes "exit" followed by Enter.

Take the CD out of the drive. Reboot into normal mode. Run MBR.exe again and post back the log.

With Regards,
The Panda

#12 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 06:43 PM

Hello PP

ok as strange as this may sound i downloaded the rc.iso and transfered to the infected PC then rebooted into recovery it was f10 on the compaq thats infected. i clicked next a few times and it went on its own so there was no options after that and i had to set up windows as if new again. i have alot of things missing but only some programs that i have downloaded from you i still have the AVG antivirus and SASpyware and malwarebytes but no more comodo no more OTScaniT no more fix mbr all that is gone :thumbup2: so should i download the fix mbr again? and try to run combofix again? i'll wait and see what you say and we will go from there.

Thanks again PP

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 06:47 PM

Hello.

That is strange.

it was f10 on the compaq thats infected

What do you mean by this?

Please try to run ComboFix again. If it doesn't run, take a new OTScanIt log.

In either case, run MBR.exe again.

With Regards,
The Panda

#14 D_N_M

D_N_M
  • Topic Starter

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 08 February 2009 - 07:33 PM

Hello PP

what i meant bye f10 was that was what i pressed to get into recovery
i did get combofix to run this time but still cannot get a log from mbr I dont know where its going?

here is the combo log

thanks again

ComboFix 09-02-08.01 - Compaq_Administrator 2009-02-08 19:21:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.584 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-08 09:32 . 2009-02-08 09:32 1,857 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_EL445AA-ABA SR1750NX NA650_YC_0Pres_QCNH548_E61NAemRED1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.13_T051115_WXP2_L409_M959_J200_7AMD_8Athlon 64_92.19_#060127_N10EC8139_Z11C10620_G10025954.MRK
2009-02-08 09:28 . 2005-11-11 16:27 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\WINDOWS
2009-02-08 09:28 . 2005-11-11 16:45 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Application Data\Symantec
2009-02-08 09:28 . 2009-02-05 15:33 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Application Data\SUPERAntiSpyware.com
2009-02-08 09:28 . 2009-02-05 15:30 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Application Data\Malwarebytes
2009-02-08 09:28 . 2005-11-11 16:28 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Application Data\Intuit
2009-02-08 09:28 . 2005-11-11 16:15 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2\Application Data\Digital Interactive Systems Corporation
2009-02-08 09:28 . 2009-02-08 19:17 <DIR> d-------- c:\documents and settings\Compaq_Administrator.YOUR-55E5F9E3D2
2009-02-08 09:27 . 2005-11-11 16:27 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-02-08 09:18 . 2009-02-08 19:12 <DIR> d-------- c:\windows\LastGood
2009-02-08 07:53 . 2009-02-08 19:12 <DIR> dr-hs---- c:\windows\system32\dllcache
2009-02-07 20:59 . 2009-02-08 05:28 <DIR> d-------- C:\32788R22FWJFW.16.tmp
2009-02-07 20:19 . 2009-02-08 05:14 <DIR> d-------- C:\32788R22FWJFW.15.tmp
2009-02-07 20:19 . 2009-02-08 05:14 <DIR> d-------- C:\32788R22FWJFW.14.tmp
2009-02-07 20:15 . 2009-02-08 05:14 <DIR> d-------- C:\32788R22FWJFW.13.tmp
2009-02-07 20:03 . 2009-02-08 05:14 <DIR> d-------- C:\32788R22FWJFW.12.tmp
2009-02-07 20:03 . 2009-02-08 05:14 <DIR> d-------- C:\32788R22FWJFW.10.tmp
2009-02-07 19:21 . 2009-02-07 19:47 250 --a------ c:\windows\gmer.ini
2009-02-05 15:33 . 2009-02-05 15:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-05 15:30 . 2009-02-05 15:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 15:30 . 2009-02-05 15:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-04 19:18 . 2009-02-04 19:18 <DIR> d-------- c:\documents and settings\rebecca\Application Data\Malwarebytes
2009-02-04 19:17 . 2009-02-04 19:17 <DIR> d-------- c:\documents and settings\rebecca\Application Data\MySpace
2009-01-31 15:35 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.11.tmp
2009-01-31 10:44 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.9.tmp
2009-01-31 10:13 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.8.tmp
2009-01-31 10:12 . 2009-01-31 15:28 <DIR> d-------- C:\32788R22FWJFW.7.tmp
2009-01-31 10:10 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.6.tmp
2009-01-31 10:10 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.5.tmp
2009-01-31 10:09 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.4.tmp
2009-01-28 20:09 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.3.tmp
2009-01-28 20:07 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.2.tmp
2009-01-28 20:07 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2009-01-28 20:06 . 2009-02-07 19:26 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-28 19:50 . 2009-01-28 19:50 <DIR> d-------- c:\program files\CCleaner
2009-01-28 08:36 . 2009-01-28 08:36 <DIR> d-------- C:\e139915c5b326e4ed2b1
2009-01-27 21:55 . 2009-01-27 21:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-27 21:55 . 2009-01-27 21:55 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2009-01-27 21:55 . 2009-01-27 21:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-27 21:54 . 2009-01-27 21:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-27 21:45 . 2009-01-27 21:48 <DIR> d-------- c:\documents and settings\Compaq_Administrator\.housecall6.6
2009-01-27 21:01 . 2009-01-27 21:01 <DIR> d-------- C:\VundoFix Backups
2009-01-27 20:44 . 2009-01-27 20:44 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2009-01-27 20:44 . 2009-01-27 20:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 20:20 . 2009-01-27 20:20 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-27 20:02 . 2009-01-27 20:02 <DIR> d-------- c:\windows\l2schemas
2009-01-27 20:01 . 2009-01-27 20:01 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-27 17:39 . 2009-01-31 21:52 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-27 17:34 . 2009-01-27 17:34 <DIR> d-------- c:\program files\AVG
2009-01-27 17:34 . 2009-02-08 05:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-27 17:31 . 2009-02-08 05:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2009-01-27 17:26 . 2009-01-27 17:26 <DIR> d-------- c:\documents and settings\Compaq_Administrator\Application Data\AVGTOOLBAR
2009-01-27 17:03 . 2009-01-27 17:03 <DIR> d-------- c:\program files\COMODO
2009-01-27 17:03 . 2009-01-27 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-25 17:34 . 2009-01-25 17:34 38,912 --a------ C:\cdxwyq.exe
2009-01-25 17:34 . 2009-01-26 00:56 2 --a------ C:\-402056744
2009-01-16 04:36 . 2009-01-28 08:37 <DIR> d-------- c:\program files\smss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 00:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-09 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 19:56 --------- d-----w c:\program files\ComcastToolbar
2009-01-29 03:45 --------- d-----w c:\program files\Viewpoint
2009-01-29 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-14 19:19 1,194 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2006-09-26 00:52:48 c:\program files\Common Files\AOL\1148927033\EE\bak\AOLSoftware.exe
----a-w 50,736 2006-09-26 00:52:48 c:\program files\Common Files\AOL\1148927033\EE\aolsoftware.exe

----a-r 71,216 2006-10-23 12:50:37 c:\program files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 180,269 2005-11-11 21:16:00 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2005-11-11 21:16:00 c:\program files\Common Files\Real\Update_OB\realsched.exe

----a-w 1,605,740 2005-09-21 17:41:10 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 1,605,740 2005-09-21 17:41:10 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 49,152 2006-02-19 10:41:10 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2005-02-17 14:11:42 c:\program files\HP\HP Software Update\hpwuSchd2.exe

----a-w 4,898,816 2007-01-12 01:45:10 c:\program files\MySpace\IM\bak\MySpaceIM.exe
----a-w 8,720,384 2007-12-19 01:47:24 c:\program files\MySpace\IM\MySpaceIM.exe

----a-w 99,480 2004-04-05 21:33:54 c:\program files\Pure Networks\Port Magic\bak\PortAOL.exe

----a-w 98,304 2006-05-29 18:25:26 c:\program files\QuickTime\bak\qttask.exe
----a-w 282,624 2007-04-27 16:41:54 c:\program files\QuickTime\qttask.exe

----a-w 64,512 2005-08-06 04:56:34 c:\windows\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-06 04:56:34 c:\windows\ehome\ehtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2005-08-09 53248]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"isDeleteMe"="c:\docume~1\COMPAQ~1.YOU\LOCALS~1\Temp\isDel.bat" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-11 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPMGMT
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
.
Contents of the 'Scheduled Tasks' folder

2008-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 17:42]

2008-10-13 c:\windows\Tasks\At1.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At10.job
- c:\windows\system32\wE27XjXj.exe []

2009-02-08 c:\windows\Tasks\At11.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At12.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At13.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At14.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At15.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At16.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At17.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At18.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At19.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At2.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At20.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At21.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At22.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At23.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At24.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At25.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At26.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At27.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At28.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At29.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At3.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At30.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At31.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At32.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At33.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At34.job
- c:\windows\system32\wFhNLGgc.exe []

2009-02-08 c:\windows\Tasks\At35.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-12 c:\windows\Tasks\At36.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-12 c:\windows\Tasks\At37.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-12 c:\windows\Tasks\At38.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-12 c:\windows\Tasks\At39.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At4.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-12 c:\windows\Tasks\At40.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-12 c:\windows\Tasks\At41.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At42.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At43.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At44.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At45.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At46.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At47.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At48.job
- c:\windows\system32\wFhNLGgc.exe []

2008-10-13 c:\windows\Tasks\At5.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At6.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At7.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At8.job
- c:\windows\system32\wE27XjXj.exe []

2008-10-13 c:\windows\Tasks\At9.job
- c:\windows\system32\wE27XjXj.exe []

2009-02-08 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-08 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 19:22:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-08 19:23:37
ComboFix-quarantined-files.txt 2009-02-09 00:23:35

Pre-Run: 164,348,878,848 bytes free
Post-Run: 164,346,740,736 bytes free

269

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 09 February 2009 - 08:19 AM

Hello.

Please just post the MBR report log taken now just by clicking it. (The mbr.log).

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    AtJob::
    File::
    C:\cdxwyq.exe
    C:\-402056744
    
    Folder::
    c:\program files\smss
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users