Sign in to follow this  
Followers 0
JaffaCat

Unable to run MBAM (Normal or Safe Mode)

29 posts in this topic

I've gone through the pre-check lists as in the Sticky.

I updated all of the applications (Avira AntiVir, MBAM, Ad-Aware and Windows XP) before this rogue Malware appeard (Antivirus XP).

I try running MBAM and I can't get it to run in Normal or Safe mode on the laptop.

I ran Avira Antivir in Safe and it removed intelppm.sys which was infected by 'TR/Patched.Gen' (trojan).

I have now been able to run it in Normal mode and it removed A0102382.sys which was infected by 'TR/Patched.Gen' (trojan).

I have now a Dos CMD prompt window - C:\Program Files\Apoint\Apntex.exe

I ran DeFogger which didn't ask me to re-boot, I did this manually.

Here is the Log -

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 14:56 on 08/04/2010 (AlwynHJ)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Then as per the sticky, I downloaded DDS and GMER, here is the DDS Log -

DDS (Ver_10-03-17.01) - NTFSx86

Run by AlwynHJ at 15:06:23.96 on 08/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.88 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\1XConfig.exe

svchost.exe

svchost

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\AlwynHJ\Local Settings\Application Data\ave.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Apoint\Apntex.exe

svchost

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe

C:\Documents and Settings\AlwynHJ\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uDefault_Page_URL = hxxp://www.virginmedia.com

uWindow Title = Microsoft Internet Explorer provided by Virgin Media

uSearch Bar = hxxp://www.virginmedia.com/ie/search

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM

mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193384030236

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

Notify: igfxcui - igfxdev.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

AppInit_DLLs: c:\windows\system32\pisesiro.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

LSA: Notification Packages = scecli c:\windows\system32\pisesiro.dll

Hosts: 10.36.110.52 xksds1

Hosts: 10.36.110.250 xks001

Hosts: 10.36.110.10 xks_server

Hosts: 10.36.110.52 xks002

Hosts: 10.36.110.53 xks004

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alwynhj\applic~1\mozilla\firefox\profiles\suf0kv29.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B

S? AntiVirSchedulerService;Avira AntiVir Scheduler

S? AntiVirService;Avira AntiVir Guard

S? avgio;avgio

S? avgntflt;avgntflt

S? kl1;kl1

S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service

S? Lbd;Lbd

S? Start BT in service;Start BT in service

S? vsdatant;vsdatant

S? vsmon;TrueVector Internet Monitor

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-08 13:56:12 0 ----a-w- c:\documents and settings\alwynhj\defogger_reenable

2010-04-07 20:48:04 1086856 ----a-w- C:\mbam.exe

2010-04-06 21:37:27 244 ---ha-w- C:\sqmnoopt10.sqm

2010-04-06 21:37:27 232 ---ha-w- C:\sqmdata10.sqm

2010-03-30 21:16:32 225672 ----a-w- C:\CrucialUKScan.exe

2010-03-11 03:04:58 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-20 00:18:08 40233352 ----a-w- C:\zaSetup_91_007_002_en.exe

2009-04-03 17:11:11 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 15:10:31.08 ===============

I have attched the 2 zip files (Attach and Ark) as per the sticky.

I have not rerun DeFogger until somebody asks me to.

My ZoneAlarm goes off intermittantly and ave.exe wants to be approved to run, I Deny it all the time.

I hope I have followed the Sticky and the posted information will assist in getting a resolution ?.

Attach.zip

ark.zip

Share this post


Link to post
Share on other sites
NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

It's been longer than 48 hours, more like 96 hours +, and theres been no contact or reply to my post.

Since posting the problem I haven't used the laptop due to the issues posted.

I couldn't run my Anti-Vius (Avira) and Malwarebytes, I had to log the call via another PC.

Should I be posting any other logs or running any other applications to assist with diagnosing problem ?.

Share this post


Link to post
Share on other sites

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Hi Thank you for replying.

I can't get the laptop on the internet, so I saved and copied the Combofix via USB drive.

I clicked the Icon on the Desktop and the .exe doesn't do anything and a New window opens to say 'Open With'.

Does this mean that the malware has disabled the running of any .exes ??

What would be the next procedure ??

Share this post


Link to post
Share on other sites

Try to start the laptop in Safe Mode and see if you can run Combofix. You can also try renaming it to combofix.com and try to run it.

Share this post


Link to post
Share on other sites

I started the laptop in Safe Mode and tried to run Combofix, same thing happened as before, a New window opens to say 'Open With'.

So I renamed it to combofix.com and ran it, it waited for a few seconds as if it was extracting, then the same New window opens to say 'Open With'.

Does this mean that the malware has disabled the running of any .exes even in Safe mode ??

Thanks for replying so quickly. :)

Share this post


Link to post
Share on other sites

An update to previous post, I clicked through the New window which said 'Open With' by choosing Cancel 3 times.

Combofix was unable to install Microsoft Windows Recovery Console, as I couldn't get a Network connection.

While in Safe mode I couldn't disable Anti-Vir and Lavasoft Ad-aware.

Combofix carried on and re-booted in Normal mode, it took a while to create a log.

Here it is :-

ComboFix 10-04-13.03 - AlwynHJ 14/04/2010 13:52:50.1.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.337 [GMT 1:00]

Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.com

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\AlwynHJ\Application Data\wiaservg.log

C:\Thumbs.db

c:\windows\system32\muzapp.exe

c:\windows\system32\wbem\grpconv.exe

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 13:41 . 2010-04-07 23:15 197120 --sha-w- c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll

2010-03-30 21:16 . 2010-03-30 21:16 225672 ----a-w- C:\CrucialUKScan.exe

2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe

2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 23:46 . 2010-04-07 20:48 1086856 ----a-w- C:\mbam.exe

2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 06:24 . 2006-06-23 18:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-12 10:03 . 2010-04-08 12:13 293376 ------w- c:\windows\system32\browserchoice.exe

2010-01-20 00:18 . 2010-01-20 00:17 40233352 ----a-w- C:\zaSetup_91_007_002_en.exe

2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]

"Getdo"="c:\documents and settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat" [2010-04-08 99840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]

R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847]

.

Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21]

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-14 14:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)

c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(1424)

c:\windows\system32\WININET.dll

c:\docume~1\AlwynHJ\LOCALS~1\Temp\23631764.nls

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Avira\AntiVir Desktop\shlext.dll

c:\program files\Malwarebytes' Anti-Malware\mbamext.dll

c:\program files\Lavasoft\Ad-Aware\ShellExt.dll

c:\progra~1\WINZIP\WZSHLSTB.DLL

c:\program files\WinRAR\rarext.dll

c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL

c:\windows\system32\browselc.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\shdoclc.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\S24EvMon.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\1XConfig.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\RegSrvc.exe

c:\program files\RealVNC\VNC4\WinVNC4.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\BCMSMMSG.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe

.

**************************************************************************

.

Completion time: 2010-04-14 14:27:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-14 13:27

Pre-Run: 12,376,195,072 bytes free

Post-Run: 13,001,560,064 bytes free

- - End Of File - - 16A1D387C0492EFD23696C44F0C58BB0

I have also now been successful in installing 'Microsoft Windows Recovery Console' from the Windows XP CD.

Share this post


Link to post
Share on other sites

Please run GMER again and make sure to include SECTIONS as part of the scan this time and post back new log.

Share this post


Link to post
Share on other sites

I started running GMER in Normal mode and after about 20 minutes I had the Blue screen of death with the following message :-

PFN_LIST_CORRUPT

****STOP 0x0000004E (0x00000007, 0x0001D34A, 0x00000001, 0x00000000)

So I decided to run it in Safe mode, it ran OK but I couldn't get to the box to save the scan details.

I rebooted into Normal mode and ran GMER again, after about 25 minutes another Blue screen of death with the following message :-

PFN_LIST_CORRUPT

****STOP 0x0000004E (0x00000007, 0x00008680, 0x00000001, 0x00000000)

Can you give assitance If I'm doing anything incorrectly ?.

Share this post


Link to post
Share on other sites

No that is a memory management page file number corruption typically caused by a hardware issue. It could be bad memory on your system or it could be this infection affecting how we're trying to access it.

Download this file and extract TDSSKiller.exe to your Desktop.

------------------------------------------------------

Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

Attach that log on your next reply please.

------------------------------------------------------

Share this post


Link to post
Share on other sites

Please download a new version of Combofix and overwrite the current one on your desktop and temporarily disable your Anti-Virus and run Combofix and post back the new log.

Share this post


Link to post
Share on other sites

Combofix ran OK in Normal mode.

Here it is :-

ComboFix 10-04-17.07 - AlwynHJ 19/04/2010 10:19:57.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.252 [GMT 1:00]

Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))

.

2010-04-14 13:00 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2010-04-14 13:00 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-04-08 12:13 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-04-07 23:15 . 2010-04-08 13:41 197120 --sha-w- c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll

2010-04-07 20:48 . 2010-03-29 23:46 1086856 ----a-w- C:\mbam.exe

2010-03-30 21:16 . 2010-03-30 21:16 225672 ----a-w- C:\CrucialUKScan.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 13:44 . 2010-04-08 13:46 95232 ----a-w- c:\windows\Internet Logs\xDB13.tmp

2010-04-08 13:44 . 2010-04-08 13:46 2363392 ----a-w- c:\windows\Internet Logs\xDB14.tmp

2010-04-07 20:27 . 2010-04-07 20:30 47104 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2010-04-05 21:04 . 2010-04-06 17:45 812544 ----a-w- c:\windows\Internet Logs\xDB11.tmp

2010-04-05 10:17 . 2008-05-11 08:56 13567409 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe

2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 06:24 . 2006-06-23 18:33 916480 ------w- c:\windows\system32\wininet.dll

2010-02-13 21:49 . 2010-02-13 21:50 509440 ----a-w- c:\windows\Internet Logs\xDBF.tmp

2010-02-13 21:46 . 2010-02-13 21:50 2321408 ----a-w- c:\windows\Internet Logs\xDB10.tmp

2010-01-20 00:18 . 2010-01-20 00:17 40233352 ----a-w- C:\zaSetup_91_007_002_en.exe

2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]

R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847]

.

Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21]

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-19 10:28

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)

c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3404)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Avira\AntiVir Desktop\shlext.dll

c:\program files\Malwarebytes' Anti-Malware\mbamext.dll

c:\program files\Lavasoft\Ad-Aware\ShellExt.dll

c:\progra~1\WINZIP\WZSHLSTB.DLL

c:\program files\WinRAR\rarext.dll

c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL

c:\windows\system32\browselc.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\shdoclc.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

Completion time: 2010-04-19 10:36:17

ComboFix-quarantined-files.txt 2010-04-19 09:35

ComboFix2.txt 2010-04-14 13:27

Pre-Run: 12,887,429,120 bytes free

Post-Run: 12,867,383,296 bytes free

- - End Of File - - 66EE42EE266E192A1FB116CF91AE826C

Share this post


Link to post
Share on other sites

STEP 01

These files should not be in the root of the C: drive. You should remove them to a folder or delete them.

C:\mbam.exe

C:\CrucialUKScan.exe

C:\zaSetup_91_007_002_en.exe

STEP 02

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

File::
c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll
DDS::
uInternet Settings,ProxyOverride = *.local

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 04

Disable ZoneAlarm if needed for this.

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Share this post


Link to post
Share on other sites

STEP 01

I have deleted the 3 exe's from the C drive.

STEP 02

Created the "CFsript.txt" as mentioned above and dropped it into Combofix which ran OK in Normal mode.

Here is the log :-

ComboFix 10-04-17.07 - AlwynHJ 20/04/2010 8:50.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.310 [GMT 1:00]

Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\AlwynHJ\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::

"c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll

.

((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))

.

2010-04-14 13:00 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2010-04-14 13:00 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-04-08 12:13 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 13:44 . 2010-04-08 13:46 95232 ----a-w- c:\windows\Internet Logs\xDB13.tmp

2010-04-08 13:44 . 2010-04-08 13:46 2363392 ----a-w- c:\windows\Internet Logs\xDB14.tmp

2010-04-07 20:27 . 2010-04-07 20:30 47104 ----a-w- c:\windows\Internet Logs\xDB12.tmp

2010-04-05 21:04 . 2010-04-06 17:45 812544 ----a-w- c:\windows\Internet Logs\xDB11.tmp

2010-04-05 10:17 . 2008-05-11 08:56 13567409 ----a-w- c:\windows\Internet Logs\tvDebug.zip

2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe

2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 06:24 . 2006-06-23 18:33 916480 ------w- c:\windows\system32\wininet.dll

2010-02-13 21:49 . 2010-02-13 21:50 509440 ----a-w- c:\windows\Internet Logs\xDBF.tmp

2010-02-13 21:46 . 2010-02-13 21:50 2321408 ----a-w- c:\windows\Internet Logs\xDB10.tmp

2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]

R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847]

.

Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21]

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-20 08:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)

c:\windows\system32\LgNotify.dll

.

Completion time: 2010-04-20 09:03:01

ComboFix-quarantined-files.txt 2010-04-20 08:02

ComboFix2.txt 2010-04-19 09:36

ComboFix3.txt 2010-04-14 13:27

Pre-Run: 12,867,764,224 bytes free

Post-Run: 12,829,048,832 bytes free

- - End Of File - - D237317C0F2CDEB7EC876007D35DB182

STEP 03

There were no Java entries in Control Panel option for Add or Remove Programs.

I downloaded the latest as indicated and checked out that Temporary Internet Files was checked as requested.

STEP 04

I can't get to an Internet connection at the moment, I will probably be able to do it in the next couple of hours time.

Will post the required log when complete.

Share this post


Link to post
Share on other sites

Okay that actually looks pretty good now.

Please run the following and let me know if you have any issues.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Assuming the install works well please run a Quick Scan after an update and post back the log.

Share this post


Link to post
Share on other sites

ID: 18   Posted (edited)

Followed your instructions regarding MBAM and the log is attached :-

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

21/04/2010 09:24:02

mbam-log-2010-04-21 (09-24-02).txt

Scan type: Quick scan

Objects scanned: 123705

Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AlwynHJ\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> No action taken.

mbam_log_2010_04_21__09_24_02_.txt

Edited by AdvancedSetup
Posted MBAM log inline

Share this post


Link to post
Share on other sites

That log indicates that you did not tell MBAM to fix it. Please scan again and have MBAM fix it.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the new MBAM log

Share this post


Link to post
Share on other sites

Apologies this should have been the log :-

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

21/04/2010 09:24:55

mbam-log-2010-04-21 (09-24-55).txt

Scan type: Quick scan

Objects scanned: 123705

Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AlwynHJ\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> Quarantined and deleted successfully.

I did run it again as you asked, here is the log :-

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

21/04/2010 13:09:17

mbam-log-2010-04-21 (13-09-17).txt

Scan type: Quick scan

Objects scanned: 123756

Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also ran MBAM in "Full scan" by mistake which didn't result in any detections, but it did trigger Avira AntiVir to pop up a window 9 times, all items are now in quarantine.

Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP537\A0102377.exe

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP537\A0102395.dll

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP539\A0103431.exe

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/Agent.AO.1107 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP540\A0103488.exe

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/CryptXPACK.Gen (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP540\A0103489.exe

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP542\A0105795.dll

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\Qoobox\Quarantine\C\Documents and Settings\AlwynHJ\Local Settings\Application Data\3743969374.dll.vir

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/Agent.AO.1107 (trojan)' detected in file C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir

Action performed: Move file to quarantine.

Virus or unwanted program 'TR/CryptXPACK.Gen (trojan)' detected in file C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir

Action performed: Move file to quarantine.

Share this post


Link to post
Share on other sites

That is because we've not completed the cleanup process yet.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disconnect from the internet and disable your AntiVirus temporarily.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

combofix_run_uninstall.png

This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Clear & Reset System Restore's Cache

  • Press the Windows key + R
  • Type or copy/paste control sysdm.cpl,,4 & press Enter
  • Click on Continue
  • Under Automatic Restore points
    • Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
    • Click Turn System Restore Off.
    • Click Apply

    Turn System Restore back on now.

    [*]Check (tick) all the boxes under Create restore points automatically on the selected disks section.

    [*]Click OK.

Post back and let me know if you still have any outstanding issues with regards to Malware or not as we should be about done here now.

Share this post


Link to post
Share on other sites

Thanks for the information in relation to the quarantining by Avira AntiVir.

I have done all the other tasks, but the instructions in relation to "Clear & Reset System Restore's Cache" doesn't follow what comes up as a the 'System Properties' window.

All I have is a box to check/uncheck 'Turn off System Restore'

All I can do is check it then click Apply, then uncheck and click Apply.

Am I doing anything incorrectly or is there something else that I have missed ??.

Share this post


Link to post
Share on other sites

Here is a more detailed method for you.

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is
:

  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Share this post


Link to post
Share on other sites

I have now created a new Restore Point, also I have ran the Disk Cleanup routines.

Is there anything outstanding I should run/do on the laptop ??.

Share this post


Link to post
Share on other sites

Now that the system is clean I would HIGLY suggest that you update to Service Pack 3. I would also suggest using the full download myself and temporarily disable your Anti-Virus - if this is an HP machine also check for update fixes from HP first before upgrading to Service Pack 3

Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.