Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj/Mbroot-H


  • This topic is locked This topic is locked
17 replies to this topic

#1 ChillerKyle

ChillerKyle

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 05 April 2010 - 07:32 AM

I was told to post these results here by posting a new topic.
The link to my previous topic - http://www.bleepingcomputer.com/forums/ind...p;#entry1686146
I ran a DDS and here are the results.

DDS (Ver_10-03-17.01) - NTFSx86
Run by New at 8:06:44.93 on Fri 03/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2744 [GMT -4:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Defogger.exe
C:\Documents and Settings\New\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [ArcSoft Connection Service] "c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241453776656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241453830468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\new\applic~1\mozilla\firefox\profiles\cxb77nce.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-1-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-28 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-28 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSXpx86.sys [2010-2-15 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-28 117640]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-6-11 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVENG.SYS [2010-2-17 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVEX15.SYS [2010-2-17 1324720]

=============== Created Last 30 ================

2010-03-26 11:43:45 0 ----a-w- c:\documents and settings\new\defogger_reenable
2010-03-26 11:43:33 50477 ----a-w- C:\Defogger.exe
2010-03-24 17:38:20 472064 ----a-w- C:\RootRepeal.exe
2010-03-24 12:15:07 77312 ----a-w- C:\mbr.exe
2010-03-19 12:09:33 0 d-----w- c:\docume~1\new\applic~1\Malwarebytes
2010-03-19 12:09:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 12:09:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-19 12:09:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 12:09:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 17:59:06 0 d-----w- c:\windows\pss
2010-03-08 15:14:42 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
2010-03-05 13:00:48 26 ----a-w- C:\UpdaterforApp.ini
2010-03-05 12:46:18 245408 ----a-w- c:\windows\system32\unicows.dll
2010-03-05 12:46:18 11776 ----a-w- c:\windows\system32\drivers\afc.sys
2010-03-05 12:46:11 126976 ----a-w- c:\windows\system32\MediaImpression Slideshow.scr
2010-03-05 12:45:44 0 d-----w- c:\windows\system32\MediaImpression Slideshow
2010-03-05 12:41:33 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-03-05 12:41:30 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-03-05 12:41:30 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-03-05 12:40:53 45056 ----a-w- c:\windows\system32\PhDi2.sys
2010-03-05 12:07:49 4653 ----a-w- c:\windows\system32\EPPICPattern4.jor
2010-02-24 15:01:27 0 d-----w- c:\program files\Entropia Universe

==================== Find3M ====================

2010-01-14 18:26:13 83160 ----a-w- c:\windows\fonts\DAYROM__.ttf
2010-01-14 18:26:13 30088 ----a-w- c:\windows\fonts\DAYROM_X.ttf
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 8:07:03.62 ===============


Mal/Behav-164 has also just shown up on my Virus Scan!

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 05 April 2010 - 07:49 AM

Hello ChillerKyle,


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#3 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 05 April 2010 - 08:04 AM

ComboFix 10-04-04.01 - New 04/05/2010 8:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2658 [GMT -4:00]
Running from: c:\documents and settings\New\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\windows\system32\SHELLLNK.TLB

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 11:10 . 2010-04-05 11:10 2485883 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-04-05 11:09 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-01 20:11 . 2010-04-01 20:11 -------- d-----w- c:\windows\WinRAR
2010-04-01 20:06 . 2010-04-01 20:06 -------- d-----w- c:\program files\uTorrent
2010-04-01 20:05 . 2010-04-05 13:00 -------- d-----w- c:\documents and settings\New\Application Data\uTorrent
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\Autodesk
2010-04-01 20:04 . 2010-04-01 20:04 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 20:04 . 2010-04-01 20:04 54784 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Autodesk
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\AnswerWorks 4.0
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\windows\system32\3082
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\windows\system32\Common Files
2010-04-01 20:03 . 2010-04-01 20:04 -------- d-----w- c:\program files\AutoCAD 2004
2010-04-01 20:03 . 2010-04-01 20:04 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-01 20:03 . 2010-04-01 20:03 -------- d-----w- c:\documents and settings\New\Application Data\Autodesk
2010-04-01 20:03 . 2010-04-01 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-01 18:56 . 2010-04-01 18:56 -------- d-----w- c:\program files\PowerISO
2010-04-01 12:15 . 2010-04-01 15:23 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Roblox
2010-04-01 12:11 . 2010-04-01 12:15 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\RobloxDownloads
2010-04-01 12:11 . 2010-04-01 12:11 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\RobloxVersions
2010-03-29 14:16 . 2010-03-29 14:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-29 14:12 . 2010-03-29 14:12 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Temp
2010-03-29 14:12 . 2010-03-29 14:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-29 14:11 . 2010-03-29 14:13 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Google
2010-03-29 14:11 . 2010-03-29 14:12 -------- d-----w- c:\program files\Google
2010-03-26 11:43 . 2010-03-26 11:43 50477 ----a-w- C:\Defogger.exe
2010-03-24 17:38 . 2010-03-24 17:40 472064 ----a-w- C:\RootRepeal.exe
2010-03-24 12:15 . 2010-03-24 12:12 77312 ----a-w- C:\mbr.exe
2010-03-23 14:31 . 2010-03-23 14:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-03-19 12:10 . 2010-03-19 12:10 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 12:09 . 2010-03-19 12:09 -------- d-----w- c:\documents and settings\New\Application Data\Malwarebytes
2010-03-19 12:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 12:09 . 2010-03-19 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 12:09 . 2010-03-19 12:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 12:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 17:54 . 2010-03-08 17:54 -------- d-----w- c:\documents and settings\New\Application Data\ArcSoft
2010-03-08 15:14 . 2010-03-11 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 11:10 . 2009-05-04 15:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 19:27 . 2009-05-04 21:33 102392 ----a-w- c:\documents and settings\New\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-08 15:14 . 2009-05-04 15:59 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-05 12:49 . 2010-03-05 12:46 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-03-05 12:45 . 2010-03-05 12:45 -------- d-----w- c:\program files\ArcSoft
2010-03-05 12:43 . 2010-03-05 12:43 -------- d-----w- c:\documents and settings\New\Application Data\Panasonic
2010-03-05 12:40 . 2010-03-05 12:40 -------- d-----w- c:\program files\Panasonic
2010-03-05 12:39 . 2010-03-05 12:39 -------- d-----w- c:\documents and settings\New\Application Data\InstallShield
2010-03-04 16:45 . 2010-03-19 18:24 171234 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-25 20:11 . 2009-06-11 18:56 164 ----a-w- c:\windows\install.dat
2010-02-24 15:01 . 2010-02-24 15:01 -------- d-----w- c:\program files\Entropia Universe
2010-02-03 09:00 . 2010-02-17 18:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.005\NAVENG.SYS
2010-02-03 09:00 . 2010-02-17 18:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.005\NAVEX15.SYS
2010-01-14 18:24 . 2009-12-10 00:43 1 ----a-w- c:\documents and settings\New\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-01 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-16 16384512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2010-3-5 44176]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4466:TCP"= 4466:TCP:Services
"7432:TCP"= 7432:TCP:Services

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [1/28/2010 8:27 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [1/28/2010 8:27 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [1/28/2010 8:27 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys [2/15/2010 8:23 AM 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [1/28/2010 8:27 AM 117640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/11/2009 2:57 PM 1201640]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 10:11 AM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 14:11]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 14:11]

2010-04-05 c:\windows\Tasks\wrSpySweeper_LDE109FAE8ABF4947B929B921F9534160.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-06-11 20:19]

2010-04-05 c:\windows\Tasks\wrSpySweeper_LDE109FAE8ABF4947B929B921F9534160.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-06-11 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\New\Application Data\Mozilla\Firefox\Profiles\cxb77nce.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-04-05 09:03:18
ComboFix-quarantined-files.txt 2010-04-05 13:03

Pre-Run: 66,650,968,064 bytes free
Post-Run: 67,156,545,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 75E899FE244B43D69A655678FA6687EF


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 05 April 2010 - 08:26 AM

I don't see much wrong there, Mebroot appears to be inactive now, can you tell me how the computer is running and if
you having any issues?


You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.
To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.




1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"4466:TCP"=-
"7432:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • Combofix.txt
  • ESET report

Thanks

unite.jpg


#5 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 05 April 2010 - 12:19 PM

I have tried the ESET OnlineScan several times but it refuses to load, I will continue to try it. The computer seems to be running at half speed, the internet freezes every once in awhile. Firefox indefinately freezes the computer as if it were on a time limit.

here are the new results

ComboFix 10-04-04.01 - New 04/05/2010 11:06:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2634 [GMT -4:00]
Running from: c:\documents and settings\New\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 11:10 . 2010-04-05 11:10 2485883 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-04-05 11:09 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-01 20:11 . 2010-04-01 20:11 -------- d-----w- c:\windows\WinRAR
2010-04-01 20:06 . 2010-04-01 20:06 -------- d-----w- c:\program files\uTorrent
2010-04-01 20:05 . 2010-04-05 15:00 -------- d-----w- c:\documents and settings\New\Application Data\uTorrent
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\Autodesk
2010-04-01 20:04 . 2010-04-01 20:04 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 20:04 . 2010-04-01 20:04 54784 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Autodesk
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\program files\AnswerWorks 4.0
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\windows\system32\3082
2010-04-01 20:04 . 2010-04-01 20:04 -------- d-----w- c:\windows\system32\Common Files
2010-04-01 20:03 . 2010-04-01 20:04 -------- d-----w- c:\program files\AutoCAD 2004
2010-04-01 20:03 . 2010-04-01 20:04 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-04-01 20:03 . 2010-04-01 20:03 -------- d-----w- c:\documents and settings\New\Application Data\Autodesk
2010-04-01 20:03 . 2010-04-01 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-04-01 18:56 . 2010-04-01 18:56 -------- d-----w- c:\program files\PowerISO
2010-04-01 12:15 . 2010-04-01 15:23 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Roblox
2010-04-01 12:11 . 2010-04-01 12:15 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\RobloxDownloads
2010-04-01 12:11 . 2010-04-01 12:11 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\RobloxVersions
2010-03-29 14:16 . 2010-03-29 14:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-29 14:12 . 2010-03-29 14:12 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Temp
2010-03-29 14:12 . 2010-03-29 14:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-29 14:11 . 2010-03-29 14:13 -------- d-----w- c:\documents and settings\New\Local Settings\Application Data\Google
2010-03-29 14:11 . 2010-03-29 14:12 -------- d-----w- c:\program files\Google
2010-03-26 11:43 . 2010-03-26 11:43 50477 ----a-w- C:\Defogger.exe
2010-03-24 17:38 . 2010-03-24 17:40 472064 ----a-w- C:\RootRepeal.exe
2010-03-24 12:15 . 2010-03-24 12:12 77312 ----a-w- C:\mbr.exe
2010-03-23 14:31 . 2010-03-23 14:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-03-19 12:10 . 2010-03-19 12:10 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 12:09 . 2010-03-19 12:09 -------- d-----w- c:\documents and settings\New\Application Data\Malwarebytes
2010-03-19 12:09 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 12:09 . 2010-03-19 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 12:09 . 2010-03-19 12:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 12:09 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 17:54 . 2010-03-08 17:54 -------- d-----w- c:\documents and settings\New\Application Data\ArcSoft
2010-03-08 15:14 . 2010-03-11 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 11:10 . 2009-05-04 15:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 19:27 . 2009-05-04 21:33 102392 ----a-w- c:\documents and settings\New\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2008-04-14 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-08 15:14 . 2009-05-04 15:59 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-05 12:49 . 2010-03-05 12:46 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-03-05 12:45 . 2010-03-05 12:45 -------- d-----w- c:\program files\ArcSoft
2010-03-05 12:43 . 2010-03-05 12:43 -------- d-----w- c:\documents and settings\New\Application Data\Panasonic
2010-03-05 12:40 . 2010-03-05 12:40 -------- d-----w- c:\program files\Panasonic
2010-03-05 12:39 . 2010-03-05 12:39 -------- d-----w- c:\documents and settings\New\Application Data\InstallShield
2010-03-04 16:45 . 2010-03-19 18:24 171234 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-02-25 20:11 . 2009-06-11 18:56 164 ----a-w- c:\windows\install.dat
2010-02-24 15:01 . 2010-02-24 15:01 -------- d-----w- c:\program files\Entropia Universe
2010-02-03 09:00 . 2010-02-17 18:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.005\NAVENG.SYS
2010-02-03 09:00 . 2010-02-17 18:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.005\NAVEX15.SYS
2010-01-14 18:24 . 2009-12-10 00:43 1 ----a-w- c:\documents and settings\New\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-01 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-16 16384512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2010-3-5 44176]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [1/28/2010 8:27 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [1/28/2010 8:27 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [1/28/2010 8:27 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys [2/15/2010 8:23 AM 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [1/28/2010 8:27 AM 117640]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/11/2009 2:57 PM 1201640]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [12/24/2008 5:40 AM 80256]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 10:11 AM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 14:11]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 14:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\New\Application Data\Mozilla\Firefox\Profiles\cxb77nce.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5396)
c:\windows\system32\WININET.dll
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-05 11:08:46
ComboFix-quarantined-files.txt 2010-04-05 15:08
ComboFix2.txt 2010-04-05 13:03

Pre-Run: 67,091,554,304 bytes free
Post-Run: 67,140,816,896 bytes free

- - End Of File - - F1D40C1D7DCFA45B443DA889BD00A351


#6 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 05 April 2010 - 01:34 PM

Now the computer is not letting me open programs, the Windows XP Security Center you told me to install is showing hundreds of viruses that DO NOT EXIST and the computer is starting to die. I really need some help here before I say F*** it and reinstall windows

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 05 April 2010 - 02:42 PM

QUOTE
the Windows XP Security Center you told me to install


I didn't tell you to install anything like that.


Update Malwarebytes and run a quick scan then post the log.

unite.jpg


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 07 April 2010 - 01:15 PM

Are you still with me? please let me know if you still need my help, if you have solved you issues I would also appreciate
you letting me know.

unite.jpg


#9 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 08 April 2010 - 07:16 AM

I appologize for my rudeness, however I have reviewed the file that gave me issues and looked on this page. If you would so kindly check your post - allow ComboFix to download and install the Microsoft Windows Recovery Console - and that is the program that disabled my computer by telling me hundreds of viruses had infected my computer. The computer is still having issues, moving extremely slow, and Firefox still freezes. I ran the MalwareBytes and here are the unfortunate results.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3959

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/8/2010 8:11:25 AM
mbam-log-2010-04-08 (08-11-25).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 240650
Time elapsed: 36 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 08 April 2010 - 07:52 AM

QUOTE
Microsoft Windows Recovery Console - and that is the program that disabled my computer by telling me hundreds of viruses had infected my computer


Let me get this correct then, are you telling me that Microsoft Windows Recovery Console keeps popping up and telling you
their are hundreds of infections? because this would not be possible as it doesn't do anything like that, so I don't im getting
what your saying correctly?


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#11 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 08 April 2010 - 08:10 AM

Perhaps I have a virus disguising itself as the program. I did as you asked and received this message- Windows cannot find 'mbr.log'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and than click Search.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 08 April 2010 - 08:20 AM

Perhaps but I haven't heard of that before. Anyway let's try and get an mbr log.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c c:\mbr.exe -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#13 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 08 April 2010 - 09:15 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:12 PM

Posted 08 April 2010 - 09:41 AM

I don't see anything wrong there, can you post a new DDS log please.

unite.jpg


#15 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 08 April 2010 - 10:38 AM

It will no longer allow me to run DDS. It opens note pad and it begins with - MZ   @  !L!This program cannot be run in DOS mode.

$ PE L +I  2 n Z   @     0  f         




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users