Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vista Anti-virus 2012 first, then browser redirect... [Solved]


  • This topic is locked This topic is locked

#16
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
My current problem (among others) is that I can't download anything on the infected computer. When you say host computer, do you mean the one I hope to download combofix on? If so, I should:

1. Download panda vaccinate and run it with the usb in the drive.

2. Download and rename combofix.

3. Save renamed combofix to flash drive.

4. Use usb to put renamed combofix on infected computer.

5. Run combofix.

Does that work?

THanks
  • 0

Advertisements


#17
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That should work ... But if it doesn't I have another trick up my sleeve :cool:
  • 0

#18
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Combo Fix / svc host scan has been running about 45 minutes...any rough estimate on length of run?

Screen says 'should take about 10 minutes, could be as much as twice that for badly infected machines'.

I'm happy to let it go as long as it needs but concerned that it may be 'stuck'.

Thoughts?
  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is it counting through the various stages ?
  • 0

#20
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
I saw it scan/inspect (?) one file/folder - a box came up with two lines and I think it said it was looking at one of eleven.

Since then no visible activity or sound.

And I just realized that when moving the mouse, the cursor doesn't move.

Further realized that the computer clock stopped at 4:52. It is now 5:28.

I read somewhere that when combofix is running the clock might go funky but will be fine when done. I'm inclined to think that it is still doing its work and that I should wait.

Edited by jkabat, 30 December 2011 - 04:29 PM.

  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK not very clever... Reboot the system please

On the other computer could yoiu download the Vista 32 bit recovery console ISO

Then use imgburn to create a bootable disc from the ISO for both programmes (Gparted and RC)

On the infected computer (This programme can be run from the USB)

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

This should knock out the malware for a while until we can fix the partition
  • 0

#22
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Well, I'm typing to you on a browser on the infected computer, so that's a good sign.

I burned the gparted and RC image discs.

I ran rogue killer.

The log is pasted below. In anticipation of your asking me to boot from a cd, please clarify how to do so. I think I know, but just in case.


RogueKiller V6.2.1 [12/28/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: computer [Admin rights]
Mode: Remove -- Date : 12/30/2011 17:51:24

¤¤¤ Bad processes: 1 ¤¤¤
[BLACKLIST] d3d10_1.dll -- C:\Windows\system32\d3d10_1.dll -> UNLOADED

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Users\computer\AppData\Local\Temp\321.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> REPLACED ("C:\Program Files\internet explorer\iexplore.exe")

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 24f71742e39d861a12ff98cbd33e68bf
[BSP] a316932c12150a11407cabc7ac636ed1 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 10737 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 20973568 | Size: 309333 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
As there are a variety of BIOS's I would recommend that you use this page here as it covers several types
  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I will be going offline shortly - once you have deleted the bad 1MB partition and rebooted to normal windows could you retry Combofix pleas - it should run properly this time
  • 0

#25
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Following your advice, I rebooted with the Gpart disk. All went according to plan. Outstanding explanation of the steps, thank you.

Then I ran into a fork in the road. Your most recent comment suggested that I delete the bad 1MB and reboot in normal windows and run combo fix. At the time, however, I was following the gpart instructions from earlier. At that time you had asked me to do the Gpart reboot, then a windows vista recovery reboot, then combofix.

Not thinking, I tried to do a windows reboot with the vista 32 bit RC disk you had asked me to burn. At some point in the process it asked me for my vista product key. I got out a flashlight and crawled under the desk to note the code on the sticker on the back of the computer. Upon entering it, I was told it was no good. Another bout on the floor with the flashlight, same result.

So, I did a bit of googling and discovered that I could download a product key finder. As I was doing that I realized that your most recent comment had not asked me to use the vista RC disk. So...I went ahead and did a combofix scan.

It seems that for the present everything is back in working order.

I'm posting the log below and you can tell me how things look. Before I post, a question. Once we sort this out, would you recommend that I delete the various things I have downloaded onto my non-infected computer (gpart, roguekiller, imgblaster, etc)?


ComboFix 11-12-30.02 - computer 12/30/2011 19:09:57.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1879 [GMT -5:00]
Running from: c:\users\computer\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Naver
c:\users\computer\AppData\Local\{DC9829A7-3CC0-4343-856A-732175C6BA5E}
c:\users\computer\AppData\Local\{DC9829A7-3CC0-4343-856A-732175C6BA5E}\chrome.manifest
c:\users\computer\AppData\Local\{DC9829A7-3CC0-4343-856A-732175C6BA5E}\chrome\content\overlay.xul
c:\users\computer\AppData\Local\{DC9829A7-3CC0-4343-856A-732175C6BA5E}\install.rdf
c:\users\computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool
c:\users\computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\windows\system32\npkpdb.dll
c:\windows\Update.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-31 00:23 . 2011-12-31 00:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-31 00:04 . 2011-12-31 00:04 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-12-31 00:04 . 2011-12-31 00:04 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-12-31 00:04 . 2011-12-31 00:04 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-12-31 00:04 . 2011-12-31 00:04 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-12-31 00:04 . 2011-12-31 00:04 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-12-31 00:04 . 2011-12-31 00:04 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-12-31 00:04 . 2011-12-31 00:04 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-12-31 00:04 . 2011-12-31 00:04 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-12-31 00:04 . 2011-12-31 00:04 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-12-31 00:03 . 2011-12-31 00:03 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-12-31 00:03 . 2011-12-31 00:03 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-12-31 00:03 . 2011-12-31 00:03 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-12-31 00:03 . 2011-12-31 00:03 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-12-31 00:03 . 2011-12-31 00:03 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-12-31 00:03 . 2011-12-31 00:03 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-12-31 00:03 . 2011-12-31 00:03 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-12-31 00:03 . 2011-12-31 00:03 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-12-31 00:03 . 2011-12-31 00:03 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCF8321F-4697-4D24-8177-42B1D4E77D23}\MpKsl85b86a12.sys
2011-12-31 00:03 . 2011-12-31 00:03 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCF8321F-4697-4D24-8177-42B1D4E77D23}\offreg.dll
2011-12-30 23:56 . 2011-12-30 23:56 -------- d-----w- c:\program files\Magical Jelly Bean
2011-12-30 22:52 . 2011-11-21 07:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCF8321F-4697-4D24-8177-42B1D4E77D23}\mpengine.dll
2011-12-30 22:50 . 2011-12-30 22:52 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-12-29 21:16 . 2011-12-29 21:16 -------- d-----w- C:\_OTL
2011-12-29 04:18 . 2011-12-29 04:18 -------- d-----w- c:\programdata\WindowsSearch
2011-12-28 23:26 . 2011-12-28 23:26 0 ---ha-w- c:\users\computer\AppData\Local\BITEFF.tmp
2011-12-13 18:16 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 18:16 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 18:16 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-13 18:16 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 18:16 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 18:16 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 18:16 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-02-28 00:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 22:01 . 2011-06-10 18:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 07:47 . 2010-10-15 20:59 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-11 01:49 . 2011-10-11 01:50 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE100024-E385-4BFB-91E2-1C98AC24FDCB}\gapaengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-29 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-19 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"P2Go_Menu"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Skytel"="Skytel.exe" [2008-07-23 1826816]
"MaAgent"="c:\program files\MarkAny\ContentSAFER\MaAgent.exe" [2008-09-17 57344]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2011-01-09 274608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl217763fb;MpKsl217763fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CAD5A8B3-2EE7-40F8-8DCF-03C65E017537}\MpKsl217763fb.sys [x]
R1 MpKsl42400db6;MpKsl42400db6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1490991C-584C-4F53-802A-545BEB3C0BC4}\MpKsl42400db6.sys [x]
R1 MpKsl99200a83;MpKsl99200a83;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{41558724-A731-4328-AD63-F160B7AAAA2B}\MpKsl99200a83.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca3672f1e23590;Google Update Service (gupdate1ca3672f1e23590);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 133104]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-19 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 133104]
R3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.SYS [2010-11-16 21176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl85b86a12;MpKsl85b86a12;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCF8321F-4697-4D24-8177-42B1D4E77D23}\MpKsl85b86a12.sys [2011-12-31 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 nPStarterSVC;nProtect Starter;c:\windows\system32\nPStarterSVC.exe [2010-05-25 250145]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL85B86A12
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:11]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-16 02:11]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1598053239-1567179000-2325288416-1000Core.job
- c:\users\computer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-29 17:37]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1598053239-1567179000-2325288416-1000UA.job
- c:\users\computer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-29 17:37]
.
2011-12-28 c:\windows\Tasks\Norton Security Scan for computer.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 10:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=0309&m=et1161-07
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} - hxxp://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
DPF: {2029F1D2-90E4-49EF-9824-F666D238BFF6} - hxxp://cdn.naver.com/naver/comic/viewer/2007/0126/naver/NHNComicViewer.cab
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/LGUplus_XMPI_20110503.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxps://mpi.dacom.net/XPayMPI/XPayMPI.cab
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} - hxxp://fifa-online.easports.com/fo3-theme/addons/EAFO3AXLauncher.cab
DPF: {C021A4D6-173F-4BF4-B38C-B12CAA20E518} - hxxp://www.mgoon.com/launcher.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://packgoon.hangame.com/common/HanSetup1020.cab
DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} - hxxp://plugin.inicis.com/wallet60/INIwallet60_vista.cab
DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Mnet/QuickManagerNHN/Modules/NSAppHelper.cab/NSAH_20100202001.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxps://www.vpay.co.kr/kvpfiles_new/KVPISPCTLD_VISTA.cab
DPF: {FC1FEB1F-DB67-49C2-9AA1-83BFD60F992A} - hxxp://i-plus.jssearch.net/ActiveX/IPlusInstall.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MRDaemon.exe - c:\program files\Naver\QuickManager2\MRDaemon.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 19:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-12-30 19:26:27
ComboFix-quarantined-files.txt 2011-12-31 00:26
.
Pre-Run: 161,408,229,376 bytes free
Post-Run: 162,177,396,736 bytes free
.
- - End Of File - - 0D99847FD2464EE11D3D7519462736FC
  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes you can delete all the programmes on the clean computer :)

Sorry about the slight confusion there

Could you now run aswMBR please so that I can confirm that the malware is dead

Followed by :

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#27
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Tasks accomplished. I will paste each log below.

Everything seems to be running well without interruption.

One remaining issues:

1. It seems that many folders / files have gone hidden. I am able to change them to not hidden when I specifically search for and find them. Is there any way to make all hidden files unhidden in one blanket action (so that I can unhide files/folders that maybe I don't remember exist)?

Many Thanks

Logs (aswMBR first, MBAM second)

aswMBR:


aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2011-12-31 09:38:59
-----------------------------
09:38:59.105 OS Version: Windows 6.0.6002 Service Pack 2
09:38:59.105 Number of processors: 2 586 0x6B02
09:38:59.106 ComputerName: COMPUTER-PC UserName: computer
09:39:49.209 Initialize success
09:40:33.874 AVAST engine defs: 11123100
09:40:39.272 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052
09:40:39.275 Disk 0 Vendor: Hitachi_ ST2O Size: 305245MB BusType: 6
09:40:39.285 Disk 0 MBR read successfully
09:40:39.289 Disk 0 MBR scan
09:40:39.297 Disk 0 unknown MBR code
09:40:39.309 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
09:40:39.363 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295003 MB offset 20973568
09:40:39.399 Disk 0 scanning sectors +625140400
09:40:39.492 Disk 0 scanning C:\Windows\system32\drivers
09:41:03.235 Service scanning
09:41:03.797 Service MpKsla95755c4 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{45D4FE63-1D3A-458D-913D-017CCE852D6B}\MpKsla95755c4.sys **LOCKED** 32
09:41:03.803 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
09:41:04.458 Modules scanning
09:41:29.061 Disk 0 trace - called modules:
09:41:29.103 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
09:41:29.110 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c3e1d0]
09:41:29.117 3 CLASSPNP.SYS[89fa08b3] -> nt!IofCallDriver -> [0x8568d700]
09:41:29.124 5 acpi.sys[806126bc] -> nt!IofCallDriver -> \Device\00000052[0x8525f920]
09:41:30.003 AVAST engine scan C:\Windows
09:41:44.134 AVAST engine scan C:\Windows\system32
09:48:37.515 AVAST engine scan C:\Windows\system32\drivers
09:49:07.745 AVAST engine scan C:\Users\computer
10:10:29.211 AVAST engine scan C:\ProgramData
10:16:15.260 Scan finished successfully
10:17:19.619 Disk 0 MBR has been saved successfully to "C:\Users\computer\Desktop\MBR.dat"
10:17:19.770 The log file has been saved successfully to "C:\Users\computer\Desktop\aswMBR.txt"

MBAM:


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
computer :: COMPUTER-PC [administrator]

12/31/2011 10:20:24 AM
mbam-log-2011-12-31 (10-20-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 172104
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#28
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

09:40:39.363 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295003 MB offset 20973568

There it is - gone :lol:

I did not realise that you had lost files and folders

Run RogueKiller once more but this time select option 6

Post the resultant log and let me know what is still missing - plus any other problems
  • 0

#29
jkabat

jkabat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Beautiful!

Am I right to assume that this whole mess came about when someone responded incorrectly to a popup about vista 2012 virus? Or does the fact that the popup even popped-up indicate that the problem was already on the computer? (not looking to cast blame, just curious)
I was able to 'unhide' all folders/files and as far as I can tell everything is here.

Shall I go ahead and run rogue killer with option 6 or let it go?

Thanks in advance,

jkabat

Edited by jkabat, 31 December 2011 - 10:11 AM.

  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Use RogueKiller option 6 and that will reset them all in one fell swoop - also can you check windows updates is functional

Am I right to assume that this whole mess came about when someone responded incorrectly to a popup about vista 2012 virus? Or does the fact that the popup even popped-up indicate that the problem was already on the computer?

It depends on how the infection came onto the system whether by an infected website or an infected download, but the spare space on the harddrive made it easier for it to get settled in
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP