Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE/Antivirus won't load


  • This topic is locked This topic is locked
2 replies to this topic

#1 mrskitch

mrskitch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 04 March 2011 - 11:33 AM

Hey all, new member here! Just want to say thanks for the help and the great tool combofix is. Anyways, my first run through with this virus I had originally booted into safe mode and ran Malwarebytes and it found a handful of things that got deleted. Went back into the regular admin account and was able to get Microsoft Security Essentials up and going just fine, scans found nothing. Fast forward a couple days and now MSE won't load and gives me an "Access Denied" pop-up. So, decided to run Safe-Mode again and run Combofix plus anything else I could to make sure it's wiped out. It's a friend of mines computer otherwise I would have just backed up documents and re-installed XP. It's at SP2, but I'm planning on upgrading that as well. Anyways, here is the log (ran in safe mode):

ComboFix 11-03-03.02 - Administrator 03/03/2011 21:53:39.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.313 [GMT -8:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Russ\My Documents\DPE.DUS
c:\program files\INSTALL.LOG
C:\setup.exe
C:\VDMA7.tmp
c:\windows\system32\setup.ini

.
((((((((((((((((((((((((( Files Created from 2011-02-04 to 2011-03-04 )))))))))))))))))))))))))))))))
.

2011-03-04 05:45 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-03-04 05:43 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-03-04 00:22 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A36F8359-FD19-4457-9007-8D8CDEDCD3DD}\mpengine.dll
2011-02-12 11:05 . 2007-04-09 21:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2011-02-12 11:05 . 2007-04-09 21:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2011-02-11 07:04 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-11 07:04 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-10 22:39 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-10 22:32 . 2011-02-03 01:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-10 22:27 . 2011-02-10 22:28 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-10 21:16 . 2011-02-10 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-10 20:55 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-10 20:55 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 20:55 . 2011-02-10 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-10 20:08 . 2011-02-25 01:26 -------- d-----w- c:\documents and settings\Administrator.BIG_GUN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-29 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-08-29 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-08-29 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-29 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 1980-01-01 06:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 1980-01-01 06:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 69632]
"DVDBitSet"="c:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 204800]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"WildTangent CDA"="c:\program files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-29 28616]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Address Book.lnk - c:\program files\Kyocera Mita\Address Book\AddrBook.exe [2007-6-21 73728]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-1-23 113664]
DB Assistant.lnk - c:\program files\Kyocera Mita\DB Assistant\NsParCom.exe [2007-6-21 196608]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-8 45056]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMREMIND.EXE [2003-12-12 327680]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Scanner File Utility.lnk - c:\program files\Kyocera Mita\FileUtility\NsCatCom.exe [2007-6-21 315392]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 19:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"Alerter"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kyocera Mita\\Address Book\\AddrBook.exe"=
"c:\\Program Files\\Kyocera Mita\\DB Assistant\\NsParCom.exe"=
"c:\\Program Files\\moveminute\\05091201\\MoveMedia.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 MpKsl74e06b9b;MpKsl74e06b9b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E671CB5F-B001-4D6A-B7CD-D0AD58EC501B}\MpKsl74e06b9b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E671CB5F-B001-4D6A-B7CD-D0AD58EC501B}\MpKsl74e06b9b.sys [?]
S1 MpKsl8a091a5d;MpKsl8a091a5d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD1C2943-60D1-447C-9509-FD33BE871EB9}\MpKsl8a091a5d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD1C2943-60D1-447C-9509-FD33BE871EB9}\MpKsl8a091a5d.sys [?]
S1 MpKsla5c56737;MpKsla5c56737;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{38DAD8A8-B0C6-49B1-B74A-08B2388FA552}\MpKsla5c56737.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{38DAD8A8-B0C6-49B1-B74A-08B2388FA552}\MpKsla5c56737.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.BIG\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.BIG\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.BIG\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.BIG\LOCALS~1\Temp\HBCD\SuperAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 9:03 AM 135664]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 5:18 PM 24652]
S3 ICDUSB3;ICDUSB3;c:\windows\SYSTEM32\DRIVERS\ICDUSB3.sys [9/4/2009 1:13 PM 11264]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HIDSERV
.
Contents of the 'Scheduled Tasks' folder

2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2005-10-29 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2200 series272A572217594EBCF1CEE215E352B92AD073FDE4121532377.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 00:56]

2011-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 11:56]

2011-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 17:03]

2011-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 17:03]

2011-03-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9294206B-A9B2-4F73-938E-89F694F48101} - hxxp://xlonhcld.xlontech.net/100348/moveminute4/ldsdlprod.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Administrator.BIG_GUN\Application Data\Mozilla\Firefox\Profiles\x8y4yyxf.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-RiseofNationsExpansion 1.0 - c:\program files\Microsoft Games\Rise of Nations\UNINSTLX.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-03 22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1893759534-1637339533-2259455979-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,30,8b,51,e4,a0,0e,4d,b5,b1,f7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,30,8b,51,e4,a0,0e,4d,b5,b1,f7,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-03 22:09:23
ComboFix-quarantined-files.txt 2011-03-04 06:09

Pre-Run: 23,967,830,016 bytes free
Post-Run: 26,267,836,416 bytes free

- - End Of File - - BC301FB1B7D86523207CFB719140E66A


Thanks again for all the help!

Edited by Orange Blossom, 04 March 2011 - 12:55 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:38 AM

Posted 11 March 2011 - 07:43 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:38 AM

Posted 17 March 2011 - 05:43 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users