Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound.MalPE and Trojan.Gen [Closed]


  • This topic is locked This topic is locked

#16
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Please run this utility:


Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    Posted Image
    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

Advertisements


#17
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-27 13:55:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.GIB\LOCALS~1\Temp\kxtdrpoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272111972
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272111972 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\CFEF35I4.txt 920 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\MS3QAJ2U.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Cookies\NRF6LNW3.txt 0 bytes
File C:\Documents and Settings\administrator.GIBRALTARDESIGN\Local Settings\Temporary Internet Files\Content.IE5\F04ZM3PL\GetAdDirector_BannerCreative[1].htm 3785 bytes

---- EOF - GMER 1.0.15 ----
  • 0

#18
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

It looks like you posted a GMER log. Do you happen to have the ComboFix log for me to review?
  • 0

#19
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
ComboFix 11-10-27.05 - Administrator 10/28/2011 13:00:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.506 [GMT -4:00]
Running from: c:\documents and settings\administrator.GIBRALTARDESIGN\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dwagner\My Documents\prf2B.tmp
c:\documents and settings\dwagner\My Documents\prf6FD.tmp
c:\documents and settings\hheaddy\Application Data\inst.exe
c:\documents and settings\mmatasovsky\Application Data\desktop.ini
c:\documents and settings\mmatasovsky\Application Data\ntuser.dat
c:\documents and settings\mmatasovsky\Application Data\xssend2
c:\documents and settings\mmatasovsky\GoToAssistDownloadHelper.exe
c:\documents and settings\mmatasovsky\My Documents\DPE.DUS
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\copymar.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
C:\Thumbs.db
c:\windows\ehome\medctrro.exe
c:\windows\ehome\snchk.exe
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\d3d9caps.dat
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-28 )))))))))))))))))))))))))))))))
.
.
2011-10-28 13:07 . 2011-10-28 13:07 -------- d-----w- c:\windows\LastGood
2011-10-26 15:21 . 2011-10-26 15:21 -------- d-----w- C:\_OTL
2011-10-26 15:17 . 2011-10-26 15:20 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Adobe
2011-10-25 18:59 . 2011-10-25 18:59 -------- d-sh--w- c:\documents and settings\administrator.GIBRALTARDESIGN\PrivacIE
2011-10-25 18:59 . 2011-10-26 18:19 -------- d-----w- c:\documents and settings\administrator.GIBRALTARDESIGN\Local Settings\Application Data\Google
2011-10-18 15:57 . 2011-10-18 16:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-10-18 15:57 . 2011-10-18 16:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-10-18 15:51 . 2011-10-18 15:51 -------- d-----w- c:\program files\CCleaner
2011-10-13 18:18 . 2011-10-13 18:18 -------- d-----w- c:\program files\IIS Express
2011-10-11 20:28 . 2011-10-28 17:44 -------- d-----w- c:\documents and settings\mmatasovsky
2011-10-07 12:28 . 2011-10-07 12:28 -------- d-----w- c:\program files\UltraVNC
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\dwagner\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 13:29 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 13:29 . 2011-10-05 13:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 21:46 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-04 21:46 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-02-27 15:04 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-09-28 77824]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-08-13 165888]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-23 7393280]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-11-15 206216]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-3 1537064]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-2-4 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoNTSecurity"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1017\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1018\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1282138258-1106520001-315636210-1019\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-1224\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-4111\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logoff\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\0\0]
"Script"=\\Gdiweb\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-500\Scripts\Logon\1\0]
"Script"=\\Gdiweb\CadUtilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logoff\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstart_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-368597260-1834286960-2103163636-6620\Scripts\Logon\0\0]
"Script"=\\Gdicad\cadutilities\Back Burner Batch Scripts\Netstop_BK_Server.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetALoader"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [11/14/2007 8:49 PM 660872]
R2 RSMWebServer;RSMWebServer;c:\program files\N-able Technologies\NRM\RSMWinService.exe [10/12/2011 3:25 PM 19968]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [4/30/2008 10:50 AM 213504]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [10/7/2011 8:28 AM 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\N-able Technologies\Windows Agent\bin\AgentMaint.exe [8/18/2011 7:21 PM 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\N-able Technologies\Windows Agent\bin\agent.exe [8/18/2011 7:21 PM 204800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 5:53 PM 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 winrdp_service;winrdp_service;c:\program files\N-able Technologies\NRM\UltraVNCServer\winrdp.exe [10/12/2011 3:25 PM 1642496]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-02-27 00:12]
.
2007-11-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 19:52]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 10.10.10.11 10.10.10.4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - sttray.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-28 13:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-368597260-1834286960-2103163636-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,ef,96,6a,d7,e6,4e,4f,a8,6c,b6,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2011-10-28 14:10:14
ComboFix-quarantined-files.txt 2011-10-28 18:09
.
Pre-Run: 10,493,296,640 bytes free
Post-Run: 11,338,915,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E0D676E9F1FF1CC89D08CABD702F217B
  • 0

#20
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#21
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8051

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/31/2011 4:04:02 PM
mbam-log-2011-10-31 (16-04-02).txt

Scan type: Quick scan
Objects scanned: 326258
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\2600 (Trojan.Agent) -> Value: 2600 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#22
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
:)
  • 0

#23
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
I've been getting an error message that is interupting the ESET Online Scanner. Message itself doesn't appear bogus, but is likely being caused by whatever is still roaming around on the workstation.

I'll document and post it next time it comes up.

Should I move on to Security Check? I'll wait for your reply and post the message I'm talking about if I don't hear from you first.
  • 0

#24
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Nah, I'd like to see what this message is before we proceed with SecurityCheck.
  • 0

#25
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
ESET SCAN LOG
---------------

C:\_OTL\MovedFiles\10262011_112104\C_Documents and Settings\All Users\Application Data\DNQjcPtFlY.exe Win32/TrojanDownloader.Prodatect.BK trojan
  • 0

Advertisements


#26
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Checkup.txt
-------------
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.0.22.87) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````
  • 0

#27
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Did find it interesting to have a Facebook log in window pop up in what appeared to be japanese, or korean,...

We have an internet software that is supposed to block that (SurfControl). Is it possible this was something taken out of the Registry back when we were asking about things there intentionally or not??

Or...it could be a symptom of the current issue.
  • 0

#28
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Thanks for posting those logs.

It's possible that something may have taken out that setting.

I think it maybe related to this file that was removed by ComboFix.

c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini

I'm going to ask that you post a log file for me.

I would also like to see a list of files quarantined by ComboFix, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.
  • 0

#29
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
2011-10-28 18:04:48 . 2011-10-28 18:04:48 582 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat
2011-10-28 18:00:51 . 2011-10-28 18:00:52 115 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SigmatelSysTrayApp.reg.dat
2011-10-28 17:35:09 . 2011-10-28 17:35:09 14,667 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-10-27 18:06:30 . 2011-10-27 18:06:31 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-10-11 20:32:42 . 2011-03-01 15:34:53 29,996 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\Application Data\ntuser.dat.vir
2011-10-11 20:31:14 . 2010-05-10 15:31:23 103,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\GoToAssistDownloadHelper.exe.vir
2011-10-11 20:30:25 . 2005-10-06 20:33:42 191 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\mmatasovsky\My Documents\DPE.DUS.vir
2011-08-01 11:20:08 . 2011-04-23 13:17:23 1,255,556,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\dwagner\My Documents\prf6FD.tmp.vir
2011-05-27 12:42:30 . 2009-07-09 20:48:55 873,612,288 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\dwagner\My Documents\prf2B.tmp.vir
2009-03-04 20:23:54 . 2009-03-04 20:23:54 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\hheaddy\Application Data\inst.exe.vir
2008-05-08 17:16:48 . 2008-05-08 17:16:50 4,608 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir
2007-01-22 11:24:38 . 2004-01-10 04:37:14 1,324 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\d3d9caps.dat.vir
2006-08-23 20:36:49 . 2008-01-04 22:07:42 422 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\User\Scripts\scripts.ini.vir
2004-02-27 14:09:41 . 2002-08-29 10:41:28 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\ehome\snchk.exe.vir
2004-02-27 14:09:26 . 2008-04-14 00:12:25 58,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ehome\medctrro.exe.vir
2004-02-27 14:08:09 . 2002-08-29 10:41:26 69,663 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgsin.exe.vir
2004-02-27 14:07:27 . 2002-08-29 07:37:30 245,760 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\logonmgr.dll.vir
2004-02-27 14:01:13 . 2002-08-29 07:37:22 24,576 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\custdial.dll.vir
2004-02-27 14:01:12 . 2002-08-29 07:37:22 77,824 -c--a-w- C:\Qoobox\Quarantine\C\Program Files\MSN\MSNCoreFiles\copymar.exe.vir
2001-08-23 12:00:00 . 2004-07-17 18:40:53 9,050 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Help\Tours\htmlTour\unlock_playing.htm.vir
  • 0

#30
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Can you do me a favor and zip up the following file and attach it for me?

C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\User\Scripts\scripts.ini.vir
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP