takomagirl

Can't get rid of rogue XP security 2011! (combofix)

3 posts in this topic

Please keep me from throwing desktop out window! I cannot remove a rogue XP Total Security 2011 infiltration. I have been unable to visit websites (keeps redirecting or completely shutting down connection- I am only able to communicate via laptop and neighbor's wifi!).

I have done numerous scans in safe mode (both mbam and spyware doctor) but Malwarebytes is only finding a single registry error (which after quarantined does not eliminate fake security pop ups, etc.). In addition to security pop ups, I am also getting a lot of ohv.exe errors. I have tried to deleting them on task manager but they still keep coming. I am clearly out of my depth and hope you can help me get rid of this (and advise on avoiding future infection).

Thanks in advance for your time.

In a moment of extreme desperation I ran Combofix and am including log below- I do not want to proceed without expert eyes:

ComboFix 11-04-03.03 - Administrator 04/05/2011 12:42:20.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1770 [GMT -4:00]

Running from: I:\joint.exe

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome.manifest

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\_cfg.js

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\chrome\content\overlay.xul

c:\documents and settings\Patty\Local Settings\Application Data\{FA827B25-7D26-417B-922F-45D92BB07E18}\install.rdf

c:\documents and settings\Patty\Local Settings\Application Data\ohv.exe

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome.manifest

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\_cfg.js

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\chrome\content\overlay.xul

c:\documents and settings\Paul\Local Settings\Application Data\{AC8E8D3E-E6BD-4CBD-B63B-30C5FAF27551}\install.rdf

c:\program files\Internet Explorer\SET8BA.tmp

c:\program files\Internet Explorer\SET8BB.tmp

c:\program files\Internet Explorer\SET8BD.tmp

C:\Thumbs.db

c:\windows\AutoRun.ini

c:\windows\ewacirisoh.dll

c:\windows\settings.reg

c:\windows\system32\Data

F:\autorun.inf

G:\autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))

.

.

2011-04-05 16:25 . 2011-04-05 16:25 -------- d-----w- c:\windows\LastGood

2011-04-03 03:34 . 2011-04-03 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software

2011-04-03 02:58 . 2011-04-03 02:58 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\BVRP Software

2011-04-03 02:37 . 2011-04-03 02:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-04-03 02:06 . 2011-04-03 02:06 -------- d-sh--w- c:\documents and settings\Paul\IECompatCache

2011-04-02 22:44 . 2011-04-02 22:44 -------- d-sh--w- c:\documents and settings\Paul\PrivacIE

2011-04-02 19:38 . 2011-04-02 19:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-03-22 01:33 . 2011-03-22 01:33 -------- d-----w- c:\documents and settings\Patty\Application Data\Malwarebytes

2011-03-21 17:47 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Paul\Application Data\PCTools

2011-03-21 17:45 . 2011-03-21 17:45 -------- d-sh--w- c:\documents and settings\Paul\IETldCache

2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes

2011-03-21 16:15 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-21 16:15 . 2011-03-21 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-03-21 16:15 . 2011-03-21 18:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-21 16:15 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-21 04:25 . 2011-03-21 04:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-03-13 16:14 . 2011-03-13 16:14 2748 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-03-09 01:04 . 2011-03-09 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\fCnAiLh06300

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-22 01:27 . 2011-03-22 01:27 745 ----a-w- C:\xp_exe_fix.zip

2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

------- Sigcheck -------

.

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

.

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\MsPMSNSv.dll

[-] 2004-09-15 17:27 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\MsPMSNSv.dll

[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

"Spyware Doctor"="c:\documents and settings\Administrator\Desktop\sdsetup_aff.exe" [2011-04-03 512992]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-14 180269]

"MXOBG"="c:\windows\MXOALDR.EXE" [2006-08-13 94208]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]

"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2005-11-09 634880]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2010-12-03 108496]

"P17Helper"="P17.dll" [2005-05-04 64512]

"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe" [2005-08-11 122880]

"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" [2005-08-11 380928]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-01-02 21:36 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ \0

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/9/2010 5:04 PM 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/9/2010 5:05 PM 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/9/2010 5:05 PM 656320]

S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [12/9/2010 5:05 PM 247760]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2010 10:11 PM 135664]

S2 PC FineTune Task Manager;PC FineTune Task Manager;c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service --> c:\progra~1\EARTHL~3\PCFINE~1\MXTask.exe -Service [?]

S2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [7/16/2004 7:12 PM 14416]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2/17/2003 5:24 PM 44344]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [9/24/2007 11:46 PM 10880]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/9/2010 5:04 PM 366840]

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

.

2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]

.

2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 02:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.earthlink.net

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Refresh Pa≥ with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-page.html

IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink TotalAccess\Accelerator\\pac-image.html

TCP: {DE695698-F7EC-4DC9-BF9A-F8C61B27492D} = 207.69.188.186,207.69.188.187

DPF: {2EB0B740-B616-D8EB-515B-A9E063E32F70} - hxxp://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab

DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Toolbar-Locked - (no file)

HKLM-Run-Okusufu - c:\windows\ewacirisoh.dll

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-05 12:48

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2167187101-520617633-2230737895-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,a7,c1,a9,8a,4b,74,40,88,eb,65,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(704)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2011-04-05 12:50:11

ComboFix-quarantined-files.txt 2011-04-05 16:50

.

Pre-Run: 18,453,364,736 bytes free

Post-Run: 18,418,237,440 bytes free

.

- - End Of File - - 4453A2EDA8D9AEFC00ED7E87CABE5B54

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.