Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

personal security virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 ghost tx

ghost tx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:09:34 PM

Posted 20 April 2010 - 08:04 PM

can someone help






ComboFix 10-04-19.08 - Mayra 03/25/2010 19:40:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.74 [GMT -5:00]
Running from: c:\documents and settings\Mayra\My Documents\Downloads\ComboFix.exe
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1409082233-1580436667-1957994488-1003
c:\windows\system32\download
c:\windows\system32\Download\ispinfo.csv
c:\windows\system32\win32extension.dll
c:\windows\system32\winsrc.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCPATCH


((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-05 05:58 . 2010-03-05 05:58 -------- d-----w- c:\documents and settings\Mayra\Application Data\Malwarebytes
2010-03-05 05:57 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 05:57 . 2010-03-05 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-05 05:57 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 05:57 . 2010-03-05 05:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 05:03 . 2006-07-10 23:38 30592 ----a-w- c:\windows\system32\drivers\ikhfile.sys
2010-03-05 05:03 . 2006-08-24 18:40 51072 ----a-w- c:\windows\system32\drivers\ikhlayer.sys
2010-03-05 05:03 . 2010-03-05 05:51 -------- d-----w- c:\program files\Spyware Doctor
2010-03-05 05:03 . 2010-03-05 05:03 -------- d-----w- c:\documents and settings\Mayra\Application Data\PC Tools
2010-03-05 01:52 . 2010-03-05 01:52 -------- d-----w- c:\program files\Common Files\PersonSecurityUninstall
2010-03-05 01:50 . 2010-03-05 01:52 -------- d-----w- c:\program files\PersonSecurity
2010-03-05 01:49 . 2010-03-05 01:49 38912 ----a-w- c:\windows\system32\winxkk32.dll
2010-03-04 00:53 . 2010-03-04 00:53 -------- d-----w- c:\documents and settings\Mayra\Application Data\AnvSoft
2010-03-04 00:52 . 2010-03-04 00:52 -------- d-----w- c:\program files\AnvSoft
2010-03-03 22:01 . 2010-03-03 22:01 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-03 21:52 . 2010-03-03 21:56 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-03 21:52 . 2010-03-03 21:52 -------- d-----w- c:\windows\system32\LogFiles
2010-03-03 20:42 . 2006-10-27 01:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-03 20:42 . 2008-11-10 17:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-03-03 20:13 . 2010-03-04 05:43 -------- d-----w- c:\program files\Microsoft Works
2010-03-03 20:12 . 2010-03-03 20:12 -------- d-----w- c:\program files\MSBuild
2010-03-03 18:59 . 2010-03-03 18:59 -------- d-----w- c:\documents and settings\Mayra\Local Settings\Application Data\Microsoft Help
2010-03-03 18:58 . 2010-03-05 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-03 18:51 . 2010-03-03 18:51 -------- d-----r- C:\MSOCache
2010-03-03 09:10 . 2010-03-11 12:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-03 09:10 . 2010-03-11 12:38 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-03 09:10 . 2010-03-11 12:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-03 09:10 . 2010-03-10 13:18 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-03 09:10 . 2010-03-11 12:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-03 09:10 . 2010-03-11 12:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-03-03 09:10 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-03-03 09:10 . 2010-03-11 12:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-03-03 08:44 . 2007-08-14 00:54 33792 -c--a-w- c:\windows\system32\dllcache\custsat.dll
2010-03-03 06:24 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-03 06:23 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-03-03 06:17 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-03-03 06:17 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-03 06:12 . 2009-10-15 17:21 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-03-03 06:11 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-03-03 06:11 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-03-03 06:11 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2010-03-03 06:11 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-03-03 06:10 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-03-03 06:10 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-03-03 06:10 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-03-03 06:10 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-03-03 06:10 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-03-03 06:10 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-03-03 06:10 . 2009-12-08 18:53 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-03 06:10 . 2009-12-08 18:55 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-03 06:10 . 2009-12-08 18:19 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-03 06:10 . 2009-12-08 18:19 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-03 06:08 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-03 05:59 . 2010-03-03 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-03 05:59 . 2010-03-03 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-03-03 05:59 . 2010-03-03 05:59 -------- d-----w- c:\program files\McAfee Security Scan
2010-03-03 05:58 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-03 05:50 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-03-03 05:48 . 2010-03-03 05:48 0 ----a-w- c:\windows\nsreg.dat
2010-03-03 05:47 . 2010-03-03 05:47 -------- d-----w- c:\documents and settings\Mayra\Local Settings\Application Data\Mozilla
2010-03-03 04:43 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-03-03 04:43 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-03-03 04:37 . 2009-08-13 15:16 512000 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-03-03 04:36 . 2006-08-21 09:14 23040 -c----w- c:\windows\system32\dllcache\fltmc.exe
2010-03-03 04:36 . 2006-08-21 12:21 16896 -c----w- c:\windows\system32\dllcache\fltlib.dll
2010-03-03 04:36 . 2006-08-21 09:14 128896 -c----w- c:\windows\system32\dllcache\fltmgr.sys
2010-03-03 04:22 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-03 04:01 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-03-03 03:53 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-03-03 03:44 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-03-03 03:21 . 2010-03-25 21:56 -------- d--h--w- c:\windows\$hf_mig$
2010-03-03 02:04 . 2010-03-03 06:20 -------- d-----w- c:\windows\ServicePackFiles
2010-03-03 01:30 . 2004-08-04 05:56 11776 ------w- c:\windows\system32\spnpinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 01:08 . 2010-03-05 05:51 282 ----a-w- c:\windows\system.tmp
2010-03-26 00:36 . 2001-09-21 06:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-25 23:51 . 2001-09-21 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-11 12:38 . 2008-06-28 03:06 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-06-28 03:07 17408 ------w- c:\windows\system32\corpol.dll
2010-03-04 05:32 . 2010-03-05 05:51 743 ----a-w- c:\windows\win.tmp
2010-03-04 00:56 . 2008-06-28 03:40 78856 ----a-w- c:\documents and settings\Mayra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 02:46 . 2008-07-18 05:25 -------- d-----w- c:\program files\Google
2010-03-03 02:32 . 2001-09-17 18:05 77607 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-12-31 16:14 . 2008-06-28 00:32 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-03 39408]
"PersonSecurity"="c:\program files\PersonSecurity\psecurity.exe" [2010-03-05 1442304]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2007-04-16 2119176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2001-08-10 118784]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2001-09-07 98304]
"TFncKy"="TFncKy.exe" [BU]
"Pinger"="c:\toshiba\ivp\ISM\pinger.exe" [2001-04-02 143360]
"Tpwrtray"="TPWRTRAY.EXE" [2001-09-07 200704]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-26 45056]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2007-04-16 2119176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxkk32]
2010-03-05 01:49 38912 ----a-w- c:\windows\system32\winxkk32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2001-09-18 21:52 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2003-12-01 42752]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-03-30 38224]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2003-12-01 55552]
S2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2001-08-10 64512]
S3 tridxp;tridxp;c:\windows\system32\DRIVERS\tridxpm.sys [2001-08-22 219520]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mayra\Application Data\Mozilla\Firefox\Profiles\hk6m6jj2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-CTSyncU - c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe
MSConfigStartUp-NAV Agent - c:\progra~1\NORTON~1\navapw32.exe
MSConfigStartUp-NetZero_uoltray - c:\program files\NetZero\exec.exe
AddRemove-LiveUpdate1.6 - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-Quicken 2001 New User Edition - c:\quickenw\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 20:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81A58AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9898fc3
\Driver\ACPI -> ACPI.sys @ 0xf980bcb8
\Driver\atapi -> atapi.sys @ 0xf97a57b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: Intel 8255x-based PCI Ethernet Adapter (10/100) -> SendCompleteHandler -> NDIS.sys @ 0xf96b1ba0
PacketIndicateHandler -> NDIS.sys @ 0xf96beb21
SendHandler -> NDIS.sys @ 0xf969c87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc23.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-971929597-2942328611-1021817841-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:00000013

[HKEY_USERS\S-1-5-21-971929597-2942328611-1021817841-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-971929597-2942328611-1021817841-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-971929597-2942328611-1021817841-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-971929597-2942328611-1021817841-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll
c:\windows\system32\winxkk32.dll
c:\program files\Spyware Doctor\Tools\klg.dat

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\klg.dat

- - - - - - - > 'explorer.exe'(4508)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\klg.dat
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(700)
c:\program files\Spyware Doctor\Tools\klg.dat
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPWRTRAY.EXE
c:\program files\Apoint2K\Apntex.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-03-25 20:29:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 01:28

Pre-Run: 5,726,793,728 bytes free
Post-Run: 6,232,391,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 4E793CA1CA68E4661D170187B5AD8241

Edited by Budapest, 20 April 2010 - 08:07 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:34 PM

Posted 20 April 2010 - 08:27 PM

You should never run Combofix on your own.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
Folder::
c:\program files\Common Files\PersonSecurityUninstall
c:\program files\PersonSecurity

File::
c:\windows\system32\winxkk32.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PersonSecurity"=-

Driver::
mchInjDrv




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:34 PM

Posted 27 April 2010 - 01:06 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users