Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Removed Vundo, I think, but automatic updates and the firewall automat

Started by alcatraz543 , Mar 29 2009 12:02 PM

  • This topic is locked This topic is locked

#16
heir
Posted 11 April 2009 - 10:18 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's trying to fix this then.

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
boaqi
NetSvc::
boaqi

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 2.
Collect current permissions on some keys:

  • Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder swreg.
  • Download SWReg from here to the new folder
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
    @echo off
CD c:\swreg

SWREG ACL "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" > getperm.txt

start notepad getperm.txt
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and Coding is ANSI, and name it getperm.bat
  • Double click on the file created. A notepad windows will open with the content in getperm.txt.
  • Copy the content in getperm.txt and paste in your next post



Step 3.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of getperm.txt from step 2.

  • 0

Advertisements

#17
alcatraz543
Posted 11 April 2009 - 11:07 AM

alcatraz543

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
DCY278C1\Administrators
Allowed Read This Key Only

No Auditing set

Owner: Administrators (DCY278C1\Administrators)


Here's my combofix log.

ComboFix 09-04-04.01 - Blake 2009-04-11 12:49:01.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.459 [GMT -4:00]
Running from: c:\documents and settings\Blake\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Blake\Desktop\CFScript.txt
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Extreme Security Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_boaqi
-------\Service_boaqi


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-05 16:55 . 2009-04-05 16:55 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-05 16:55 . 2009-04-05 16:55 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-04 16:31 . 2009-04-04 16:31 <DIR> d-------- C:\_OTListIt
2009-04-04 11:55 . 2009-04-05 19:36 <DIR> d-------- C:\Lop SD
2009-03-29 03:55 . 2009-03-29 13:48 <DIR> d--h----- c:\documents and settings\Blake\Application Data\GTek
2009-03-29 03:27 . 2009-03-29 13:39 <DIR> d-------- c:\program files\backups
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\documents and settings\Blake\Application Data\SUPERAntiSpyware.com
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-29 01:57 . 2009-03-29 01:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-29 01:54 . 2009-03-29 01:54 <DIR> d-------- c:\program files\Panda Security
2009-03-29 01:50 . 2009-03-29 01:50 396,288 --a------ c:\program files\HijackThis.exe
2009-03-28 22:41 . 2009-04-05 19:33 <DIR> d-------- C:\Rooter$
2009-03-28 19:32 . 2009-04-05 19:22 2,870 --a------ C:\rollback.ini
2009-03-28 19:16 . 2009-03-28 19:16 <DIR> d-------- c:\documents and settings\Blake\Application Data\MailFrontier
2009-03-28 19:16 . 2009-03-28 19:16 <DIR> d-------- c:\documents and settings\Blake\Application Data\CheckPoint
2009-03-28 19:16 . 2009-04-06 18:32 <DIR> d-------- c:\documents and settings\Blake\Application Data\#ISW.FS#
2009-03-28 19:14 . 2009-04-11 12:56 114,650,656 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-28 19:14 . 2009-04-11 12:51 1,535,900 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-28 19:09 . 2009-03-28 19:09 <DIR> d-------- c:\program files\CheckPoint
2009-03-28 19:09 . 2009-04-11 12:56 144 --a------ c:\windows\system32\pdfl.dat
2009-03-28 19:09 . 2009-03-28 19:09 144 --a------ c:\windows\system32\lkfl.dat
2009-03-28 19:09 . 2009-03-28 19:09 80 --a------ c:\windows\system32\ibfl.dat
2009-03-28 19:08 . 2009-03-28 19:08 <DIR> d-------- c:\program files\Zone Labs
2009-03-27 13:46 . 2009-03-27 13:47 <DIR> d-------- c:\program files\iTunes
2009-03-27 13:46 . 2009-03-27 13:46 <DIR> d-------- c:\program files\iPod
2009-03-27 13:46 . 2009-03-27 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-27 13:44 . 2009-03-27 13:45 <DIR> d-------- c:\program files\QuickTime
2009-03-27 13:42 . 2009-03-27 13:42 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-27 13:32 . 2009-03-27 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-19 17:55 . 2008-04-13 14:36 8,832 --a------ c:\windows\system32\drivers\wmiacpi.sys
2009-03-19 17:55 . 2008-04-13 14:36 8,832 --a------ c:\windows\system32\dllcache\wmiacpi.sys
2009-03-19 17:35 . 2006-10-11 21:26 3,107,788 --a------ c:\windows\system32\ativvaxx.dat
2009-03-19 17:35 . 2006-08-23 17:26 2,096 --a------ c:\windows\system32\drivers\ativdkxx.vp
2009-03-19 17:33 . 2009-03-19 17:33 <DIR> d-------- c:\program files\Broadcom
2009-03-19 17:32 . 2009-03-19 17:32 <DIR> d-------- c:\program files\DIFX
2009-03-19 17:31 . 2006-09-13 18:41 3,456 --a------ c:\windows\system32\drivers\atiide.sys
2009-03-19 17:26 . 2009-03-28 16:09 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-19 17:21 . 2009-03-19 17:21 <DIR> d-------- c:\program files\AVG
2009-03-19 17:20 . 2009-03-28 19:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 16:09 . 2008-04-14 06:42 26,112 --a------ c:\windows\system32\userinit.exe
2009-03-19 16:06 . 2009-03-19 16:06 <DIR> d--hs---- C:\$RECYCLE.BIN
2009-03-18 20:07 . 2009-03-18 20:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 20:07 . 2009-03-18 20:07 <DIR> d-------- c:\documents and settings\Blake\Application Data\Malwarebytes
2009-03-18 20:07 . 2009-03-18 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 20:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 20:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-18 20:04 . 2009-03-18 20:04 4,128 --a------ C:\INFCACHE.1
2009-03-14 20:35 . 2009-03-14 20:35 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:18 5,602 ----a-w c:\program files\hijackthis.log
2009-04-05 22:25 --------- d-----w c:\program files\Full Tilt Poker
2009-04-05 21:00 --------- d-----w c:\program files\PokerStars
2009-04-05 20:55 --------- d-----w c:\program files\Java
2009-03-29 04:42 --------- d-----w c:\documents and settings\Blake\Application Data\Ruckus Network
2009-03-28 19:13 --------- d-----w c:\program files\Common Files\AOL
2009-03-28 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-28 19:12 --------- d-----w c:\program files\AIM
2009-03-28 19:12 --------- d-----w c:\documents and settings\Blake\Application Data\Aim
2009-03-28 19:04 --------- d-----w c:\program files\Yahoo!
2009-03-28 19:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 19:00 --------- d-----w c:\program files\Dell
2009-03-27 17:48 --------- d-----w c:\program files\Apple Software Update
2009-03-27 17:45 --------- d-----w c:\program files\Bonjour
2009-03-27 17:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 21:41 --------- d-----w c:\program files\ATI Technologies
2009-03-11 03:37 --------- d-----w c:\documents and settings\Blake\Application Data\Corel
2009-02-27 18:07 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 03:10 72,584 ----a-w c:\windows\zllsputility.exe
2008-02-20 05:27 682 -c--a-w c:\documents and settings\Blake\Application Data\wklnhst.dat
2008-09-02 22:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_13.49.19.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 17:27:06 49,248 -c--a-w c:\windows\system32\java.exe
+ 2009-04-05 20:55:29 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 17:27:16 49,250 -c--a-w c:\windows\system32\javaw.exe
+ 2009-04-05 20:55:29 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 19:03:54 127,078 -c--a-w c:\windows\system32\javaws.exe
+ 2009-04-05 20:55:29 148,888 ----a-w c:\windows\system32\javaws.exe
- 2009-03-28 23:11:17 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-04-04 15:42:29 4,212 ---ha-w c:\windows\system32\zllictbl.dat
- 2009-03-29 17:40:09 69,452 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-04-11 16:56:26 564,128 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-03-28 23:33:28 11,588,231 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-04-04 15:49:16 11,650,327 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-04-11 16:52:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_168.dat
+ 2009-04-11 16:52:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"LxrAutorun"="c:\documents and settings\Blake\Local Settings\Application Data\Lexar Media\LxrAutorun.exe" [2007-03-07 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-08 82011]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-14 236544]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"aticcc"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\icmpsettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-03-19 3456]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 iswkl;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-02-12 21136]
R2 iswsvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2009-02-12 390536]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-02-25 72672]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2009-02-12 54928]
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061213
FF - ProfilePath - c:\documents and settings\Blake\Application Data\Mozilla\Firefox\Profiles\wpuafikj.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 12:56:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\ehome\ehrec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-04-11 13:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 17:00:04
ComboFix2.txt 2009-04-11 14:47:42
ComboFix3.txt 2009-03-29 17:50:37

Pre-Run: 92,234,190,848 bytes free
Post-Run: 92,210,139,136 bytes free

216 --- E O F --- 2009-03-11 05:16:58

Let me know what you think.
  • 0

#18
alcatraz543
Posted 11 April 2009 - 11:34 AM

alcatraz543

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
C:\Documents and Settings\Blake\Application Data\Mozilla\Firefox\Profiles\wpuafikj.default\downloads.sqlite

This is a bad file right? Would this be why I can't delete any history from browsers???
  • 0

#19
heir
Posted 13 April 2009 - 03:41 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Can you reach windows update now?
  • 0

#20
alcatraz543
Posted 15 April 2009 - 04:41 PM

alcatraz543

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I can reach windows update. I had to flip my registry permissions to full and then I edited out the bad link on the BITS. I think I'm all set...I couldn't have done this without you. Thanks for all of your help.
  • 0

#21
heir
Posted 15 April 2009 - 04:49 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

I can reach windows update. I had to flip my registry permissions to full and then I edited out the bad link on the BITS. I think I'm all set...I couldn't have done this without you. Thanks for all of your help.

You did what?
Edited out as in deleted?
That entry should not be deleted.
  • 0

#22
heir
Posted 21 April 2009 - 11:02 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP