Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vista 2012 security rogue


  • Please log in to reply
20 replies to this topic

#1 dman_starr

dman_starr

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 15 December 2011 - 01:40 AM

I've taken a number of steps and it's helped but I had to removed Microsoft Security Essentials in the process and it reinstalled but is unable to update now (it was disabled altogether by the malware previously).

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:18 PM

Posted 21 December 2011 - 11:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432534 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 21 December 2011 - 09:12 PM

I've run combofix and MWB, Superantispyware and MSE full scans and they arent finding anything else. DDS only gives a notepad with gibberish, no dos window will pop up even tho I disabled cd emulation and disconnected from the internet. GMer crashed my computer. Its not currently running badly but I don't feel confident everything has been removed and wonder why those programs won't run.

#4 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 02:08 AM

I managed to run gmer. It showed no system modifications. DDS still does the same thing.

#5 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 02:16 AM

Also, some MSE features are not working and windows firewall will not start from the security center.

#6 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 AM

Posted 22 December 2011 - 08:23 AM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    ipconfig /flushdns /c
    C:\Users\User\AppData\Local\swlmxj7k0twy4tie6ast2l701v1s
    C:\ProgramData\swlmxj7k0twy4tie6ast2l701v1s
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Edited by Gammo, 22 December 2011 - 08:23 AM.

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#7 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 11:41 AM

ComboFix 11-12-22.02 - User 12/22/2011 10:28:31.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2549.1758 [GMT -6:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-22 16:38 . 2011-12-22 16:38 -------- d-----w- c:\users\User\AppData\Local\temp
2011-12-22 16:38 . 2011-12-22 16:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-22 16:38 . 2011-12-22 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-22 16:17 . 2011-12-22 16:17 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{023F6395-AB7B-49CE-85DB-E44D984D0F71}\MpKsl4d7fd0f4.sys
2011-12-22 16:17 . 2011-12-22 16:17 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{023F6395-AB7B-49CE-85DB-E44D984D0F71}\offreg.dll
2011-12-22 16:16 . 2011-12-22 16:16 -------- d-----w- C:\_OTL
2011-12-22 07:15 . 2011-12-22 07:15 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{36BA7ABD-3C4C-4633-BD92-407B5DBC8B75}\gapaengine.dll
2011-12-22 07:15 . 2011-11-21 08:47 6823496 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{023F6395-AB7B-49CE-85DB-E44D984D0F71}\mpengine.dll
2011-12-22 07:10 . 2011-12-22 07:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-22 00:16 . 2011-12-22 00:16 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2011-12-22 00:15 . 2011-12-22 00:15 -------- d-----w- c:\programdata\Apple Computer
2011-12-21 23:28 . 2011-12-21 23:28 -------- d-----w- c:\users\User\AppData\Local\Secunia PSI
2011-12-21 23:28 . 2011-12-21 23:28 -------- d-----w- c:\program files\Secunia
2011-12-15 05:04 . 2011-12-15 05:04 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 04:17 . 2008-01-19 05:49 83456 ----a-w- c:\windows\system32\drivers\serial.sys
2011-12-14 23:17 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 23:17 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 23:17 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 23:17 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 23:17 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-14 23:17 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 23:16 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-05 20:26 . 2011-12-05 20:26 -------- d-----w- c:\users\User\AppData\Roaming\Blackberry Desktop
2011-12-04 05:28 . 2011-12-04 05:28 36734 ----a-w- c:\windows\system32\OggDSuninst.exe
2011-12-04 05:23 . 2007-06-07 19:11 380928 ----a-w- c:\windows\system32\ac3filter.acm
2011-12-04 05:23 . 2011-12-04 05:23 -------- d-----w- c:\program files\AC3Filter
2011-11-28 05:45 . 2011-11-28 05:45 -------- d-----w- c:\program files\Xvid
2011-11-26 05:02 . 2011-11-26 05:02 -------- d-----w- c:\programdata\FLEXnet
2011-11-26 04:16 . 2011-11-26 04:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-11-26 04:09 . 2009-03-09 21:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2011-11-26 04:09 . 2009-03-09 21:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-11-26 04:09 . 2009-03-09 21:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2011-11-26 03:39 . 2011-11-26 03:39 -------- d-----w- C:\Autodesk
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 05:21 . 2011-09-14 19:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2010-11-02 06:46 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 11:54 . 2011-03-16 06:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-12-17 05:09 . 2011-12-22 00:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-24 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"F.lux"="c:\users\User\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ssiefr.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2006-11-07 22:08 547840 ----a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-12-12 18:03 106496 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-12-12 18:02 98304 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModPS2]
2006-11-07 22:34 53248 ----a-w- c:\windows\ModPS2Key.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-12-12 18:02 81920 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 16:47 79192 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2005-01-27 17:13 36864 ----a-w- c:\windows\ShowWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 15:27 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-06-24 23:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-623880965-176170381-1416448719-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-623880965-176170381-1416448719-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002
.
R1 MpKsl220fd496;MpKsl220fd496;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C2A0397-8A5E-4D79-A1A6-3EF5F72D48CA}\MpKsl220fd496.sys [x]
R1 MpKsl9b81ecc6;MpKsl9b81ecc6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F7D85B6-365C-44E6-AE11-FAAB8293976E}\MpKsl9b81ecc6.sys [x]
R1 MpKslb01e421a;MpKslb01e421a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F8F790D2-9715-45BB-A06E-067AB1E8C8D1}\MpKslb01e421a.sys [x]
R1 MpKslb88a4a53;MpKslb88a4a53;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C50B6D6-F95A-49D7-8F1A-FF5904F59BE9}\MpKslb88a4a53.sys [x]
R1 MpKslf82961d7;MpKslf82961d7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B0DDB135-A7D0-4C40-A286-2C701F26CA6E}\MpKslf82961d7.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
S1 MpKsl4d7fd0f4;MpKsl4d7fd0f4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{023F6395-AB7B-49CE-85DB-E44D984D0F71}\MpKsl4d7fd0f4.sys [2011-12-22 29904]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-10-14 399416]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL4D7FD0F4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:41]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\ljqokdp7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 10:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-22 10:40:47
ComboFix-quarantined-files.txt 2011-12-22 16:40
ComboFix2.txt 2011-12-15 05:51
.
Pre-Run: 155,692,777,472 bytes free
Post-Run: 155,675,844,608 bytes free
.
- - End Of File - - ADF0A07A2F1A0BCE14477C0FB6299EA7

#8 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 AM

Posted 22 December 2011 - 12:49 PM

Hi,

Your ComboFix log appears to be clean. Please run the following two automatic scans. That should hopefully confirm that your computer is clean (don't be scared if they find something though, they're probably just remnants or already quarantined files). :thumbup2:

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Edited by Gammo, 22 December 2011 - 12:49 PM.

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#9 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 01:03 PM

MWB found nothing. Eset will not run. I downloaded thing and clicked on it and when I hit start, nothing happens. In IE when I try it goes to a blank screen with a red X like a pic that wont show. Also, the DDR thing wouldn't ever do anything but print a notepad of gibberish and last I checked, my firewall in windows will not enable. Did I screw my computer up or something?

#10 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 AM

Posted 22 December 2011 - 01:44 PM

At least your PC is now malware free. :)

Regarding the Windows Firewall problem:

Press the Windows key (Posted Image) + R.
In the little windows that opens, please type: cmd
Click at "OK".
In the black windows that opens, please type: netsh advfirewall reset
Press Enter.
Your Windows Firewall settings will now be reseted.
After "OK." appears in the black windows, you can close it.
Restart your computer.

Is the Windows Firewall problem fixed now?

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#11 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 02:13 PM

No. It said "an error occured contacting the firewall. Make sure the windows firewall service is running and try your request again.

#12 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 AM

Posted 22 December 2011 - 02:40 PM

I did some research and I can now confirm that the infection you had (Vista Security 2012) corrupted the firewall. The following instructions should fix it.



Download both the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

Launch and import them to registry

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#13 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 02:51 PM

How do I import them to the registry? They are just on notepad. I don't know how to do that.

#14 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 AM

Posted 22 December 2011 - 03:14 PM

The file names of the two files e.g., bfe.reg.txt needs to be changed to bfe.reg

So you have to remove the '.txt' part.

After doing that, just double-click the .reg files, click yes/OK, and they should be imported into the registry. :thumbup2:

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#15 dman_starr

dman_starr
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 22 December 2011 - 05:22 PM

Ive had this problem before on other Vista computers. You can't just rename a file to change the file extension type. I have no idea how to change it to make it a reg file. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users