Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Antivirus infection I think


  • This topic is locked This topic is locked
11 replies to this topic

#1 jmsntsa

jmsntsa

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 26 October 2009 - 11:19 AM

a friend reported his computer was infected with "Personal Antivirus", I tried to use MAM, but it would not run. I then used Revo Uninstaller 1.83 to completely remove anything that showed up as "Personal Antivirus" which did seem to work, but his browser is still getting hi-jacked with the bogus security warnings, and redirected to web site.

Thanks for your help


DDS (Ver_09-09-29.01) - NTFSx86
Run by new owner at 10:36:55.00 on Mon 10/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.256 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\devldr32.exe
F:\PortableApps\PortableApps.com\PortableAppsPlatform.exe
F:\PortableApps\FirefoxPortable\FirefoxPortable.exe
F:\PortableApps\FirefoxPortable\App\firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
F:\PortableApps\Malwarebytes' Anti-Malware\mbam.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSDRV] NetFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248718470402
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-9 28544]
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2009-8-23 18110]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2009-8-23 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2009-8-23 423454]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-10-9 17149]

=============== Created Last 30 ================

2009-10-09 10:49 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-10-09 10:48 <DIR> --d----- c:\program files\Panda Security
2009-10-09 10:36 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2009-10-09 10:36 651,264 a------- c:\windows\system32\libeay32.dll
2009-10-09 10:36 147,456 a------- c:\windows\system32\ssleay32.dll
2009-10-09 10:36 94,208 a------- c:\windows\system32\DNIN50.dll
2009-10-09 10:36 17,149 a------- c:\windows\system32\DNINDIS5.sys
2009-10-09 10:36 362,944 a------- c:\windows\system32\drivers\WG11TND5.sys
2009-10-09 10:36 149,392 a------- c:\windows\system32\drivers\ar5523.bin
2009-10-09 10:36 <DIR> --d----- c:\program files\NETGEAR
2009-10-09 10:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-09-08 13:38 114,688 a------- c:\windows\system32\NetFilter.exe
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
1766-02-16 09:56 4,263 ---sh--- c:\windows\windllreg1c.sys

============= FINISH: 10:38:14.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 01 November 2009 - 06:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 jmsntsa

jmsntsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 04 November 2009 - 05:40 PM

Hi,
Thank you for any help you can provide.
a friend reported his computer was infected with "Personal Antivirus", I tried to use MAM, but it would not run. I then used Revo Uninstaller 1.83 to completely remove anything that showed up as "Personal Antivirus" which did seem to work, but his internet explorer is still getting the bogus security warnings. Also, after several minutes IE will open on its own if it hasn't been started, or redirect if it is already open to a page that says its an auction site POPEO at this url "http://188.165.18.19/ads/?aff=6&subaff=333-v5". and I don'nt know if this is related or another issue, but every time it boots up a security dialog says that there was a problem and windows explorer must be shut down, send report to microsoft? with two buttons "Send", "Don't Send". Nothing seems to be wrong with Explorer and the dialog can be ignored or "Don't Send " selected and everything seems to work fine.

Thanks again
James



DDS (Ver_09-09-29.01) - NTFSx86
Run by new owner at 16:41:49.12 on Wed 11/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.320 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
svchost.exe
C:\WINDOWS\system32\NetFilter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\new owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSDRV] NetFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248718470402
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-26 28552]
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2009-8-23 18110]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2009-8-23 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2009-8-23 423454]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-10-9 17149]

=============== Created Last 30 ================

2009-10-26 10:52 28,552 a------- c:\windows\system32\drivers\pavboot.sys
2009-10-09 09:48 <DIR> --d----- c:\program files\Panda Security
2009-10-09 09:36 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2009-10-09 09:36 651,264 a------- c:\windows\system32\libeay32.dll
2009-10-09 09:36 147,456 a------- c:\windows\system32\ssleay32.dll
2009-10-09 09:36 94,208 a------- c:\windows\system32\DNIN50.dll
2009-10-09 09:36 17,149 a------- c:\windows\system32\DNINDIS5.sys
2009-10-09 09:36 362,944 a------- c:\windows\system32\drivers\WG11TND5.sys
2009-10-09 09:36 149,392 a------- c:\windows\system32\drivers\ar5523.bin
2009-10-09 09:36 <DIR> --d----- c:\program files\NETGEAR
2009-10-09 09:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-09-08 12:38 114,688 a------- c:\windows\system32\NetFilter.exe
1766-02-16 08:56 4,263 ---sh--- c:\windows\windllreg1c.sys

============= FINISH: 16:43:04.56 ===============

Attached Files



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 05 November 2009 - 10:40 AM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 07 November 2009 - 07:10 PM

Hello jmsntsa. :(

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on renamed.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


***************************************************

You are missing one critical kind of program on your computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as possible and run a complete scan of the computer. Without an antivirus you will become infected on a regular basis.

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

~Blade


In your next reply, please include the following:
Combofix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 jmsntsa

jmsntsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 08 November 2009 - 12:19 PM

Hi Blade,

Combofix reported finding rootkits and needed to reboot the system - it said to write down the following files for future refernce:

windows\system32\drivers\UACtigfpuobxt.sys
windows\system32\UACsvnfjoqeyq.dll
windows\system32\UACenpvfuhxoq.dll
windows\system32\UACmqpqrcfgqa.dat
windows\system32\UACwyriesdker.dll

Thanks for all your help
James


Here's the Combofix log:

ComboFix 09-11-07.02 - new owner 11/08/2009 11:41.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.377 [GMT -5:00]
Running from: c:\documents and settings\new owner\Desktop\Renamed.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\UACtiqfpuobxt.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\NetFilter.exe
c:\windows\system32\UACenpvfuhxoq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmqpqrcfgqa.dat
c:\windows\system32\UACsvnfjoqeyq.dll
c:\windows\system32\UACwyriesdker.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-08 16:26 . 2009-11-08 16:26 -------- d-----w- c:\windows\system32\LogFiles
2009-10-26 15:52 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 14:48 . 2009-10-09 14:48 -------- d-----w- c:\program files\Panda Security
2009-10-09 14:36 . 2009-10-09 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-09 14:36 . 2009-10-09 14:36 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-09 14:36 . 2009-10-09 14:36 -------- d-----w- c:\program files\NETGEAR
2009-10-09 14:36 . 2009-08-21 21:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 14:36 . 2009-10-09 14:36 -------- d-----w- c:\documents and settings\new owner\Application Data\InstallShield
2009-09-23 00:26 . 2009-09-21 00:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 22:35 . 2009-09-11 01:32 -------- d-----w- c:\documents and settings\new owner\Application Data\Antispyware
2009-09-18 22:21 . 2009-09-18 22:21 -------- d-----w- c:\program files\VS Revo Group
2009-09-18 21:14 . 2009-09-18 21:14 -------- d-----w- c:\program files\CCleaner
2009-09-11 01:55 . 2009-09-11 01:55 -------- d-----w- c:\program files\Enigma Software Group
2009-09-11 01:30 . 2009-09-11 01:30 -------- d-----w- c:\program files\Common Files\Uninstall
1766-02-16 13:56 . 1766-02-16 13:56 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-08-17 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-9-17 121856]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-10-9 884840]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2009-8-23 151552]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/26/2009 10:52 AM 28552]
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [8/23/2009 7:05 AM 18110]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [8/23/2009 7:05 AM 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [8/23/2009 7:05 AM 423454]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/9/2009 9:36 AM 17149]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1572)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-11-08 11:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-08 16:52

Pre-Run: 35,137,044,480 bytes free
Post-Run: 35,377,713,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 38FFCDBC219E9902ADA485F8B3A06638

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 09 November 2009 - 09:30 AM

Hello jmsntsa.

1. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\windllreg1c.sys

Folder::
c:\documents and settings\new owner\Application Data\Antispyware

Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

***************************************************

ESET Online Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
~Blade


In your next reply, please include the following:
ComboFix Log
ESET Online Scan Results
How is your computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 jmsntsa

jmsntsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 10 November 2009 - 01:36 PM

Thanks Blade,

here's the two logs you requested

James

Attached Files



#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 10 November 2009 - 03:16 PM

Hello jmsntsa

It appears that you are still missing one critical kind of program on your computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as possible and run a complete scan of the computer. Without an antivirus you will become infected on a regular basis.

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

***************************************************

We need to uninstall ComboFix
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

After you've done this, then...

Your machine appears to be clean!



I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download [http://www.softpedia.com/progDownload/HostsMan-Download-21113.html]HostsMan[/url]. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select at least one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 jmsntsa

jmsntsa
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 10 November 2009 - 04:06 PM

Thank you very much Blade.
You have been very helpful and my experience with BC has been very positive.
I will definately spread the word.
Thanks again
James

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:28 AM

Posted 10 November 2009 - 05:15 PM

I'm glad I could help. :(

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 11 November 2009 - 07:52 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users