Jump to content

Can't get rid of rogue XP security 2011! (combofix)

takomagirl
 Share

Recommended Posts

takomagirl

takomagirl

Posted
Posted

Please keep me from throwing desktop out window! I cannot remove a rogue XP Total Security 2011 infiltration. I have been unable to visit websites (keeps redirecting or completely shutting down connection- I am only able to communicate via laptop and neighbor's wifi!).

I have done numerous scans in safe mode (both mbam and spyware doctor) but Malwarebytes is only finding a single registry error (which after quarantined does not eliminate fake security pop ups, etc.). In addition to security pop ups, I am also getting a lot of ohv.exe errors. I have tried to deleting them on task manager but they still keep coming. I am clearly out of my depth and hope you can help me get rid of this (and advise on avoiding future infection).

Thanks in advance for your time.

In a moment of extreme desperation I ran Combofix and am including log below- I do not want to proceed without expert eyes:

ComboFix 11-04-03.03 - Administrator 04/05/2011 12:42:20.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1770 [GMT -4:00]

Running from: I:\joint.exe

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome.manifest

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\_cfg.js

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\overlay.xul

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\install.rdf

c:\documents and settings\Patty\Local Settings\Application Data\ohv.exe

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome.manifest

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\_cfg.js

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\overlay.xul

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\install.rdf

c:\program files\Internet Explorer\SET8BA.tmp

c:\program files\Internet Explorer\SET8BB.tmp

c:\program files\Internet Explorer\SET8BD.tmp

C:\Thumbs.db

c:\windows\AutoRun.ini

c:\windows\ewacirisoh.dll

c:\windows\settings.reg

c:\windows\system32\Data

F:\autorun.inf

G:\autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))

.

.

2011-04-05 16:25 . 2011-04-05 16:25 -------- d-----w- c:\windows\LastGood

2011-04-03 03:34 . 2011-04-03 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software

2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\BVRP Software

2011-04-03 02:37 . 2011-04-03 02:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-04-03 02:06 . 2011-04-03 02:06 -------- d-sh--w- c:\documents and settings\Paul\IECompatCache

2011-04-02 22:44 . 2011-04-02 22:44 -------- d-sh--w- c:\documents and settings\Paul\PrivacIE

2011-04-02 19:38 . 2011-04-02 19:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-03-22 01:33 . 2011-03-22 01:33 -------- d-----w- c:\documents and settings\Patty\Application Data\Malwarebytes

2011-03-21 17:47 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Paul\Application Data\PCTools

2011-03-21 17:45 . 2011-03-21 17:45 -------- d-sh--w- c:\documents and settings\Paul\IETldCache

2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes

2011-03-21 16:15 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-03-21 16:15 . 2011-03-21 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-21 16:15 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-21 04:25 . 2011-03-21 04:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-03-13 16:14 . 2011-03-13 16:14 2748 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-03-09 01:04 . 2011-03-09 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\fCnAiLh06300

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-22 01:27 . 2011-03-22 01:27 745 ----a-w- C:\xp_exe_fix.zip

2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

------- Sigcheck -------

.

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

.

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\MsPMSNSv.dll

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\MsPMSNSv.dll

[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

"Spyware Doctor"="c:\documents and settings\Administrator\Desktop\sdsetup_aff.exe" [2011-04-03 512992]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-14 180269]

"MXOBG"="c:\windows\MXOALDR.EXE" [2006-08-13 94208]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]

"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-11-09 634880]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]

"P17Helper"="P17.dll" [2005-05-04 64512]

"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe" [2005-08-11 122880]

"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" [2005-08-11 380928]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-01-02 21:36 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/9/2010 5:04 PM 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/9/2010 5:05 PM 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/9/2010 5:05 PM 656320]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [12/9/2010 5:05 PM 247760]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2010 10:11 PM 135664]

S2 PC FineTune Task Manager;PC FineTune Task Manager;c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service --> c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service [?]

S2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [7/16/2004 7:12 PM 14416]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2/17/2003 5:24 PM 44344]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [9/24/2007 11:46 PM 10880]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/9/2010 5:04 PM 366840]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

.

2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]

.

2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.earthlink.net

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Refresh Pa≥ with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html

IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html

TCP: {DE695698-F7EC-4DC9-BF9A-F8C61B27492D} = 207.69.188.186,207.69.188.187

DPF: {2EB0B740-B616-D8EB-515B-A9E063E32F70} - hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab

DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Toolbar-Locked - (no file)

HKLM-Run-Okusufu - c:\windows\ewacirisoh.dll

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-05 12:48

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2167187101-520617633-2230737895-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(704)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2011-04-05 12:50:11

ComboFix-quarantined-files.txt 2011-04-05 16:50

.

Pre-Run: 18,453,364,736 bytes free

Post-Run: 18,418,237,440 bytes free

.

- - End Of File - - 4453A2EDA8D9AEFC00ED7E87CABE5B54

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.