Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP cant get into ANTI-VIRUS sites


  • This topic is locked This topic is locked
3 replies to this topic

#1 reinster

reinster

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 22 March 2010 - 10:36 AM

hello. im running on windows xp pro i cant update my antivirus and worst i cant visit any antivi sites. i manually updated my antivi and did a scan, i also did malwarebytes, uniblue and spybot scans, still i cant get to the sites. i bumped with combofix and here is my log, please help me... thanks.



ComboFix 10-03-21.05 - Elijah 03/22/2010 23:19:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.550 [GMT 8:00]
Running from: c:\documents and settings\Elijah\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfinstall.log
c:\documents and settings\Elijah\Application Data\inst.exe
c:\windows\system32\msconfig.exe
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-22 15:23 . 2010-03-22 15:23 -------- d-----w- c:\windows\system32\xircom
2010-03-22 15:23 . 2010-03-22 15:23 -------- d-----w- c:\windows\system32\wbem\snmp
2010-03-22 15:23 . 2010-03-22 15:23 -------- d-----w- c:\windows\srchasst
2010-03-22 13:08 . 2010-03-22 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-22 13:08 . 2010-03-22 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 07:44 . 2010-03-22 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Uniblue
2010-03-22 07:44 . 2010-01-10 19:41 20232 ----a-w- c:\windows\system32\AntiSpyNative64.exe
2010-03-22 07:44 . 2010-01-10 19:41 16648 ----a-w- c:\windows\system32\AntiSpyNative32.exe
2010-03-22 07:26 . 2010-03-22 07:43 25254808 ----a-w- c:\documents and settings\Elijah\Application Data\Uniblue\SpyEraser\SpyEraser_Setup_3_22_2010.exe
2010-03-21 15:18 . 2010-03-21 15:18 82258 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-21 15:18 . 2010-03-21 15:18 82258 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-21 15:17 . 2010-03-22 15:22 6123296 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-21 15:17 . 2010-03-22 15:22 15136 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-21 15:17 . 2010-03-22 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 15:23 . 2010-03-22 15:23 -------- d-----w- c:\program files\microsoft frontpage
2010-03-22 15:22 . 2010-03-21 15:17 39068 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-22 15:22 . 2010-03-21 15:17 2180 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-22 12:54 . 2009-09-26 06:01 -------- d-----w- c:\program files\Visual Thesaurus 3
2010-03-22 12:54 . 2009-09-26 03:53 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-22 12:54 . 2009-09-26 03:00 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-03-22 12:54 . 2009-09-26 03:00 -------- d-----w- c:\program files\XviD
2010-03-22 12:54 . 2009-09-26 02:58 -------- d-----w- c:\program files\Your Uninstaller 2008
2010-03-21 23:49 . 2009-09-26 03:42 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-21 23:49 . 2009-09-26 03:42 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-03-21 15:21 . 2009-09-26 04:27 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-21 15:12 . 2009-09-26 02:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 15:14 . 2010-02-02 15:30 -------- d-----w- c:\program files\GEORGE
2010-02-06 09:41 . 2009-10-09 01:40 16 ----a-w- c:\windows\msocreg32.dat
2010-02-06 09:26 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\Elijah\Application Data\Cakewalk
2008-04-14 03:41 . 2008-04-14 03:41 159894 --sha-r- c:\windows\system32\pocxg.dll
.

------- Sigcheck -------


[-] 2008-05-13 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys



c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-07-10 00:23 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Safely Remove"="c:\program files\USB Safely Remove\USBSafelyRemove.exe" [2008-12-06 755200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-23 798720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-14 99840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DiskTrix\\UltimateDefrag2008\\UDefrag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6732:TCP"= 6732:TCP:pnbrwu

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [7/10/2008 8:23 AM 53032]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [9/26/2009 12:09 PM 206608]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 2:58 PM 24344]
S2 xseyq;Update Microsoft;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 11:42 AM 14336]
S3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [9/26/2009 10:42 AM 28160]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [9/26/2009 10:42 AM 56320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
xseyq

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 05:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 08:28]

2010-03-22 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-09-26 19:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microsoft.com
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Elijah\Application Data\Mozilla\Firefox\Profiles\4i44uxm1.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=966134&p=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xseyq]
"ServiceDll"="c:\windows\system32\pocxg.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-484763869-682003330-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{34E773E6-C34A-03FE-63DF-ED80BF72F1A0}*]
"hagcpldladfblihk"=hex:6b,61,64,6f,6a,65,6e,6d,6e,61,66,68,61,61,6e,6c,67,6a,
64,69,69,65,00,00
"iaadekgpaahhhecfdp"=hex:6b,61,64,6f,6a,65,6e,6d,6e,61,63,68,68,70,62,68,6d,65,
67,6e,67,63,00,00
"haeejbkcclnbmhpb"=hex:65,61,65,63,68,65,68,69,6e,6f,00,00
"haeejbkcnkingfde"=hex:65,61,65,63,68,65,68,69,6e,6f,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1092)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll

- - - - - - - > 'explorer.exe'(3532)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Nero\Nero8\InCD\NBHShx.dll
c:\program files\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Nero\Nero8\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\System32\TUProgSt.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
.
**************************************************************************
.
Completion time: 2010-03-22 23:25:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 15:25

Pre-Run: 14,876,696,576 bytes free
Post-Run: 14,780,641,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /TUTag=4ZE5DU /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /usepmtimer /TUTag=4ZE5DU-BAK

- - End Of File - - 705954F7D9F819622B29885E839EE4C5

BC AdBot (Login to Remove)

 


#2 reinster

reinster
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 22 March 2010 - 10:53 AM

anyone? please help.. sad.gif


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 23 March 2010 - 07:46 AM.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:53 PM

Posted 26 March 2010 - 04:05 AM

reinster,

First of all, ComboFix should be run under supervision of trained helper only and secondly, you didn't post the logs topic openers are requested to post.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #4 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:12:53 PM

    Posted 31 March 2010 - 09:14 AM

    Due to inactivity, this thread will now be closed. Should you have same or a new issue, please start a New Topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users