Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help me out please


  • This topic is locked This topic is locked
2 replies to this topic

#1 eherr9633

eherr9633

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 03 December 2009 - 03:20 PM

I dont have a hijack this log because I am not there anymore but I have a combo fix log and I cant find the malwarebytes log but i need help. I think its still hijacked.

Malwarebytes' Anti-Malware 1.41
Database version: 3285
Windows 5.1.2600 Service Pack 3

12/3/2009 11:15:02 AM
mbam-log-2009-12-03 (11-15-02).txt

Scan type: Quick Scan
Objects scanned: 159182
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1b874b54-f4a0-43f1-a236-c2f4e29c910f} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29dc453b-9430-450f-8943-8f8941d12862} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{478cfc09-02ce-4247-9433-7a5aeba58b9b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5baba370-cfbc-4f21-91e4-027099fd1c14} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7f609153-8125-4880-90f5-6fe1288c8ffb} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{95b92d92-8b7d-4a19-a3f1-43113b4dbcaf} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c778505d-7760-4939-9d96-76d6fd974b94} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0b59817-6be1-45de-bcb3-2b9f50105790} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f041045b-7370-4946-8a1a-3d5e4ae07f89} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f097479a-4c20-49f5-aa21-19b1e5015f36} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f610b9f1-1630-4aee-a439-ee2fc3256cb7} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eed4b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0e1230f8-ea50-42a9-983c-d22abc2eed4b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0e1230f8-ea50-42a9-983c-d22abc2eed4b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0e1230f8-ea50-42a9-983c-d22abc2eed4b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2741ca04-5b65-4b10-afc0-4e8387fe6bde} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3cea0210-36bf-4f90-9ecb-38fc5c29178b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{459d5c88-d381-4886-a998-550a89a9dc5a} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5421d77f-8598-423a-a6a7-43febaac90fe} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54c16a3c-e67c-40af-9ada-e82d536bfacd} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{836ece4e-a83a-404a-9433-6b15a66cb0fc} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c47183b-6004-421c-b82f-5fdb2da0c320} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e0b5480-4ff0-4fee-818b-d4db0f220d64} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e0b5480-4ff0-4fee-818b-d4db0f220d64} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9e0b5480-4ff0-4fee-818b-d4db0f220d64} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9e0b5480-4ff0-4fee-818b-d4db0f220d64} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c84be710-8d9a-45ae-9676-f319f2675432} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ceab86e6-996d-4eba-979b-4e13d620c11b} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eed4b} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\cpant\Application Data\System Defender (Rogue.SystemDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\LexisNexis\PCLAW32\PLIETool.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\76.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\cpant\Application Data\System Defender\Instructions.ini (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\cpant\Application Data\Microsoft\Internet Explorer\Quick Launch\System Defender.lnk (Rogue.SystemDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\cpant\xrt_jpuh.exe (Trojan.Agent) -> Quarantined and deleted successfully.


------------------
THEN I RAN IT AGAIN A LITTLE LATER
------------------

ComboFix 09-12-02.08 - cpant 12/03/2009 14:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1672 [GMT -5:00]
Running from: e:\clean house utilities\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-03 16:22 . 2009-12-03 16:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-03 16:09 . 2009-12-03 16:09 -------- d-----w- c:\documents and settings\cpant\Application Data\Malwarebytes
2009-12-03 16:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:08 . 2009-12-03 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 16:08 . 2009-12-03 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 16:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 19:10 . 2009-12-01 19:10 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSQXHD_APDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 19:17 . 2009-08-18 19:37 -------- d-----w- c:\documents and settings\cpant\Application Data\Skype
2009-12-03 16:18 . 2009-08-18 19:38 -------- d-----w- c:\documents and settings\cpant\Application Data\skypePM
2009-12-01 18:51 . 2008-06-27 14:07 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-01 16:17 . 2009-01-29 18:38 43877 ----a-w- c:\documents and settings\cpant\xrt_log.dat
2009-10-16 15:10 . 2009-10-16 15:10 -------- d-----w- c:\documents and settings\jcard\Application Data\Yahoo!
2009-09-11 14:18 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-01_19.56.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 02:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2008-06-27 14:02 . 2009-12-03 16:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-27 14:02 . 2008-06-27 14:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-03 16:22 . 2009-12-03 16:17 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-12-03 16:22 . 2009-12-03 16:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-27 14:02 . 2008-06-27 14:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\administrator.CGMDOM\Start Menu\Programs\Startup\
Desktop Application Director 9.LNK - c:\program files\Corel\WordPerfect Office 2000\programs\dad9.exe [2008-6-27 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/21/2008 11:51 AM 109616]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} -
IE: {{9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} -
TCP: {3671017E-2F23-4ED7-9B3D-D48A68553B57} = 192.168.1.3,192.168.1.4
DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxp://fyi1.superiorglacier.com/dataflight_fyi.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 14:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-03 14:24
ComboFix-quarantined-files.txt 2009-12-03 19:24
ComboFix2.txt 2009-12-01 20:00

Pre-Run: 65,018,867,712 bytes free
Post-Run: 65,018,060,800 bytes free

- - End Of File - - F126B9F40C9B6A242B2F5F933072B1CC
-----------------------------------------------------------------------------------------

i SITLL THINK ITS HIJACKED. ANY HELP


I THINK THE XRT_LOG.DAT COULD BE A HIJACK ISSUE. ALL GOOGLES ARE COMING BACK WITH GOOGLE HIJACK

Edited by eherr9633, 03 December 2009 - 03:33 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 PM

Posted 17 December 2009 - 09:28 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 PM

Posted 21 December 2009 - 04:16 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users