Jump to content


Photo
- - - - -

Can't get rid of rogue XP security 2011! (combofix)


  • This topic is locked This topic is locked
2 replies to this topic

#1 takomagirl

takomagirl

    New Member

  • Members
  • Pip
  • 1 posts

Posted 05 April 2011 - 12:55 PM

Please keep me from throwing desktop out window! I cannot remove a rogue XP Total Security 2011 infiltration. I have been unable to visit websites (keeps redirecting or completely shutting down connection- I am only able to communicate via laptop and neighbor's wifi!).

I have done numerous scans in safe mode (both mbam and spyware doctor) but Malwarebytes is only finding a single registry error (which after quarantined does not eliminate fake security pop ups, etc.). In addition to security pop ups, I am also getting a lot of ohv.exe errors. I have tried to deleting them on task manager but they still keep coming. I am clearly out of my depth and hope you can help me get rid of this (and advise on avoiding future infection).

Thanks in advance for your time.

In a moment of extreme desperation I ran Combofix and am including log below- I do not want to proceed without expert eyes:


ComboFix 11-04-03.03 - Administrator 04/05/2011 12:42:20.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1770 [GMT -4:00]
Running from: I:\joint.exe
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}
c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome.manifest
c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\_cfg.js
c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\overlay.xul
c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\install.rdf
c:\documents and settings\Patty\Local Settings\Application Data\ohv.exe
c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}
c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome.manifest
c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\_cfg.js
c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\overlay.xul
c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\install.rdf
c:\program files\Internet Explorer\SET8BA.tmp
c:\program files\Internet Explorer\SET8BB.tmp
c:\program files\Internet Explorer\SET8BD.tmp
C:\Thumbs.db
c:\windows\AutoRun.ini
c:\windows\ewacirisoh.dll
c:\windows\settings.reg
c:\windows\system32\Data
F:\autorun.inf
G:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-05 16:25 . 2011-04-05 16:25 -------- d-----w- c:\windows\LastGood
2011-04-03 03:34 . 2011-04-03 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\BVRP Software
2011-04-03 02:37 . 2011-04-03 02:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-04-03 02:06 . 2011-04-03 02:06 -------- d-sh--w- c:\documents and settings\Paul\IECompatCache
2011-04-02 22:44 . 2011-04-02 22:44 -------- d-sh--w- c:\documents and settings\Paul\PrivacIE
2011-04-02 19:38 . 2011-04-02 19:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-22 01:33 . 2011-03-22 01:33 -------- d-----w- c:\documents and settings\Patty\Application Data\Malwarebytes
2011-03-21 17:47 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Paul\Application Data\PCTools
2011-03-21 17:45 . 2011-03-21 17:45 -------- d-sh--w- c:\documents and settings\Paul\IETldCache
2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
2011-03-21 16:15 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 16:15 . 2011-03-21 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-21 16:15 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-21 04:25 . 2011-03-21 04:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-13 16:14 . 2011-03-13 16:14 2748 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-09 01:04 . 2011-03-09 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\fCnAiLh06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-22 01:27 . 2011-03-22 01:27 745 ----a-w- C:\xp_exe_fix.zip
2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
.
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
.
[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\MsPMSNSv.dll
[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\MsPMSNSv.dll
[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"Spyware Doctor"="c:\documents and settings\Administrator\Desktop\sdsetup_aff.exe" [2011-04-03 512992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-14 180269]
"MXOBG"="c:\windows\MXOALDR.EXE" [2006-08-13 94208]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-11-09 634880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]
"P17Helper"="P17.dll" [2005-05-04 64512]
"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe" [2005-08-11 122880]
"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" [2005-08-11 380928]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-01-02 21:36 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/9/2010 5:04 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/9/2010 5:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/9/2010 5:05 PM 656320]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [12/9/2010 5:05 PM 247760]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2010 10:11 PM 135664]
S2 PC FineTune Task Manager;PC FineTune Task Manager;c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service --> c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service [?]
S2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [7/16/2004 7:12 PM 14416]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2/17/2003 5:24 PM 44344]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [9/24/2007 11:46 PM 10880]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/9/2010 5:04 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html
TCP: {DE695698-F7EC-4DC9-BF9A-F8C61B27492D} = 207.69.188.186,207.69.188.187
DPF: {2EB0B740-B616-D8EB-515B-A9E063E32F70} - hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-Okusufu - c:\windows\ewacirisoh.dll
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 12:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2167187101-520617633-2230737895-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-04-05 12:50:11
ComboFix-quarantined-files.txt 2011-04-05 16:50
.
Pre-Run: 18,453,364,736 bytes free
Post-Run: 18,418,237,440 bytes free
.
- - End Of File - - 4453A2EDA8D9AEFC00ED7E87CABE5B54

#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 April 2011 - 08:22 PM

Hi and welcome to Malwarebytes.


Please update MBAM, run a Quick Scan, and post its log.


Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.





  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 28 April 2011 - 04:35 PM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users