2 replies to this topic

[Shutterbug851]

I came across an earlier post with the same problem I am experiencing now. I have malware that I can trick into letting me run malwarebyte but after 2 seconds into a full scan the program is immediately shut down. Per instruction from that post I downloaded Combofix and ran it. Here is the log that posted:

ComboFix 09-10-19.01 - owner 10/19/2009 21:44.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.230 [GMT -4:00]

Running from: F:\ComboFix.exe

AV: avast! antivirus 4.8.1351 [VPS 091018-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\documents and settings\owner\My Documents\ZbThumbnail.info

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\ModemLog_PANTECH USB Modem .txt

D:\install.exe



Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}





((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))

.



2009-10-20 01:06 . 2009-10-20 01:06 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes

2009-10-19 23:59 . 2009-10-20 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-17 14:10 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-17 14:10 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy(2).sys

2009-10-17 14:10 . 2009-10-17 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-17 14:10 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-17 14:10 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam(2).sys

2009-10-17 13:52 . 2009-10-20 01:01 0 ----a-r- c:\windows\win32k.sys

2009-10-17 13:40 . 2009-10-20 00:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-10-17 13:40 . 2009-10-20 00:05 -------- d-s---w- c:\documents and settings\Administrator



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-20 00:59 . 2009-03-16 16:06 -------- d-----w- c:\program files\Juno

2009-10-19 16:41 . 2009-03-16 16:53 -------- d-----w- c:\documents and settings\owner\Application Data\U3

2009-10-14 14:09 . 2009-03-18 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-10-13 14:26 . 2009-03-18 17:15 -------- d-----w- c:\documents and settings\owner\Application Data\HP

2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 13:58 . 2009-03-15 17:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-08-17 16:10 . 2009-03-14 14:33 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-17 16:06 . 2009-03-14 14:33 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-17 16:06 . 2009-03-14 14:33 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-17 16:05 . 2009-03-14 14:33 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-17 16:05 . 2009-03-14 14:33 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-17 16:04 . 2009-03-14 14:33 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-17 16:04 . 2009-03-14 14:33 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-17 16:03 . 2009-03-14 14:33 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-17 16:02 . 2009-03-14 14:33 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 00:44 . 2004-08-04 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-11 118784]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2009-03-15 684032]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]



c:\documents and settings\owner\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2009-8-15 1790056]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

Event Reminder.lnk - d:\program files\PrintMaster Gold 17\Remind.exe [2006-2-22 344064]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-26 692224]



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-03-03 21:48 110592 ----a-w- c:\windows\system32\LgNotify.dll



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Juno\\bin\\juno.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=



R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/14/2009 10:33 AM 114768]

R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [3/13/2009 8:06 PM 6784]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/14/2009 10:33 AM 20560]

R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [3/13/2009 8:06 PM 16000]

S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [3/16/2009 9:56 AM 29952]

S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [3/16/2009 9:56 AM 41856]

S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [3/16/2009 9:56 AM 39936]

S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [3/16/2009 9:56 AM 59520]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [6/29/2009 2:00 PM 33024]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [6/29/2009 2:00 PM 41344]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [6/29/2009 2:00 PM 39936]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [6/29/2009 2:00 PM 59904]

.

Contents of the 'Scheduled Tasks' folder



2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]



2009-10-15 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.juno.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

.



**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-19 21:51

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\LgNotify.dll



- - - - - - - > 'explorer.exe'(2268)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\S24EvMon.exe

c:\windows\system32\ZCfgSvc.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\RegSrvc.exe

c:\combofix\CF22168.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\1XConfig.exe

c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-10-20 21:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-20 01:57



Pre-Run: 6,098,182,144 bytes free

Post-Run: 7,873,511,424 bytes free



WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect



- - End Of File - - 613C0B21C74A90B775457126C399635D


Any assistance you can give would be greatly appreciated.

[Shutterbug851]

Bump

[Shutterbug851]

Any ideas?