I can't download MBAM at the moment. I think their server is down :x.
Asezat 0 Light Poster
PhilliePhan 171 Central Scrutinizer Team Colleague
I can't download MBAM at the moment. I think their server is down :x.
Try here:
http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Asezat 0 Light Poster
Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
22/10/2009 02:11:36
mbam-log-2009-10-22 (02-11-36).txt
Scan type: Full Scan (C:\|)
Objects scanned: 217424
Time elapsed: 51 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wiplrax.dll -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wiplrax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plugie.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{06D6734F-425A-46B3-BB53-F5B2979A35B7}\RP1\A0001113.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
Edited by Asezat because: Added the bit about my internet fail.
PhilliePhan 171 Central Scrutinizer Team Colleague
Ok, this is my MBAM log, post-reboot. I can't get back online on my tower, though.
OK - MBAM did not remove much of what was showing in last combofix log.
See if you can restore internet with the steps at bottom of the Combofix linky:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery
There is also info on manually installing recovery console - try that if still no internet.
Let me know if you run into trouble.
PP :)
Asezat 0 Light Poster
I tried out the instructions on the combofix tutorial, but they didn't work. Something about "not being able to renew the IP address". I don't think that's anything to do with the malware, but I could be wrong *sigh*.
I also tried to download the recovery console, on this laptop. As it happens, for some reason this damn laptop won't connect to microsoft.com. I can't get on MSN, either. I don't know why it's being like this, but it has been for the past few days, just says it can't find the server.
You ever get that feeling like that somewhere someone is laughing at you? :/
PhilliePhan 171 Central Scrutinizer Team Colleague
You ever get that feeling like that somewhere someone is laughing at you? :/
All the time :)
Let's do this:
At the command prompt type: netsh int ip reset c:\resetlog.txt ENTER
Then type: netsh winsock reset ENTER
Then, Reboot and see if that works. If so, try combofix and recovery console again.
-- I can't remember if you said you have Windows Disk, but you can install recovery console from that, too.....
PP :)
Asezat 0 Light Poster
Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:
ComboFix 09-10-21.02 - Greg Rolls 22/10/2009 21:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1728 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome.manifest
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\_cfg.js
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\chrome\content\overlay.xul
c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}\install.rdf
Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 00:16 . 2009-10-22 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 00:16 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 15:46 . 2009-10-21 15:46 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\Threat Expert
2009-10-21 02:31 . 2009-10-21 02:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2009-10-15 06:29 . 2009-10-22 01:17 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-21 15:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-22 20:22 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-22 20:16 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-22 20:12 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-22 19:54 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-22 16:09 . 2005-01-13 16:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-21 15:32 . 2005-01-13 15:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 15:26 . 2005-10-03 15:49 -------- d-----w- c:\program files\MAIET
2009-10-21 15:24 . 2005-04-01 19:44 -------- d-----w- c:\program files\Azureus
2009-10-21 15:24 . 2007-11-17 23:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 15:24 . 2005-06-16 19:49 -------- d-----w- c:\program files\Lavasoft
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-21_02.11.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-05-30 00:58 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 52880 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-21 15:14 380658 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-30 00:58 380658 c:\windows\system32\perfh009.dat
+ 2005-01-13 12:57 . 2009-10-22 01:17 130888 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-02-03 240544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 qqpcv;qqpcv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 21:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qqpcv]
"ImagePath"="\??\c:\windows\system32\01.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-22 21:37
ComboFix-quarantined-files.txt 2009-10-22 20:36
ComboFix2.txt 2009-10-21 02:26
Pre-Run: 10,868,801,536 bytes free
Post-Run: 10,846,228,480 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 67D5989C7922FB0E18F2DD2018539B52
PhilliePhan 171 Central Scrutinizer Team Colleague
Ok, that worked! Posting from the ill machine now.
Here's my new combofix log:
Great!
There is still some malware showing that we need to address - I will post something for you as soon as I can - probably won't be for a few hours as I am tied up at the moment.
A few things while I work that up:
-- Keep the ill machine offline
-- Disable SpyBotSD Tea Timer
http://russelltexas.com/malware/teatimer.htm
-- Remove ALL P2P stuff, at least until we are finished. I generally don't lecture about this - If you want more info on the ever increasing danger of P2P, I'll be happy to provide it. I will say that 90% of the machines I see infected with WPP or varaint have multiple P2P apps.....
Uninstall or, at the very least, disable:
Program Files\LimeWire
Program Files\BitTorrent
Program Files\DNA
Program Files\KCeasy
I'll post the next fix as soon as I can.
PP :)
Asezat 0 Light Poster
Ok, I'll clear all that stuff out. I never use any of those programs anymore, excepting BT on rare occasions as it is. I actually know where I got the infection from, and though it was down to my being stupid, in this case it wasn't from P2P.
I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.
PhilliePhan 171 Central Scrutinizer Team Colleague
I'm thinking I'll probably reformat once the computer is safe enough for me to lift my files off anyway. I've never done it before though, it should be interesting :-P.
OK - Let me know if you are definitely going to do that.
Otherwise there is a ton of other things we would need to do regarding your outdated Java and others, Security Programs, that error on boot (BIOS not found - probably your Promise hard drive controller) etc...
A reformat would render all that moot. Let me know & I can help you with that if you need it. Be sure you can find that Windows disk.
Also, you can use imgburn to burn an ISO of SP3 . . .. Guess you'll cross that bridge when you get to it.
OK - back to the problem at hand:
-- c:\program files\Mail.Ru -- You installed and use this? Just checking.
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.
-- Let Combofix run as before and post me that log.
And . . . We'll go from there :)
PP
Asezat 0 Light Poster
OK - Let me know if you are definitely going to do that.
Otherwise there is a ton of other things we would need to do regarding your outdated Java and others, Security Programs, that error on boot (BIOS not found - probably your Promise hard drive controller) etc...A reformat would render all that moot. Let me know & I can help you with that if you need it. Be sure you can find that Windows disk.
Also, you can use imgburn to burn an ISO of SP3 . . .. Guess you'll cross that bridge when you get to it.OK - back to the problem at hand:
-- c:\program files\Mail.Ru -- You installed and use this? Just checking.
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.-- Let Combofix run as before and post me that log.
And . . . We'll go from there :)
PP
I haven't decided for sure yet, but I'm certainly leaning that way. I was thinking about it before this even happened.
Yep, mail.ru is legit. I have a few Russian friends, and it's their IM service of choice. Alexa ranks mail.ru as their 2nd or 3rd most visited site, so it's fairly solid.
Problem: I've disposed of my P2P software, turned off teatimer, downloaded a new combofix, and dropped that little notepad file onto it to start it up. It went through all it's usual motions, started the scan, then... just stopped. I've been sitting at "Complete Stage_2" for the best part of half an hour, with no sign of life from the box itself, and I'm not sure what to do.
PhilliePhan 171 Central Scrutinizer Team Colleague
It went through all it's usual motions, started the scan, then... just stopped. I've been sitting at "Complete Stage_2" for the best part of half an hour, with no sign of life from the box itself, and I'm not sure what to do.
If you didn't touch it or do anything to cause it to stall, then just let it keep running. Overnight if you have to....
If it still hasn't completed, then we'll address that. Sometimes this will happen with some tougher malware, though given the previous runs there may indeed be a stall.
Let's just be patient and see what happens.
PP :)
Asezat 0 Light Poster
No, I didn't touch it, it just hasn't moved. Same situation, 8 hours later.
PhilliePhan 171 Central Scrutinizer Team Colleague
No, I didn't touch it, it just hasn't moved. Same situation, 8 hours later.
Bloody hell.
I suppose it would be too much to ask for something to go right just once to make things easy on us...... Somebody is laughing at us.
I guess we'll have to power off and reboot. Then try the last step again complete with a fresh download of combofix.
--Rename combofix again at download as you did before to combo-fix, just to cover that base.
Let me know how that shakes out. I won't have another break for a few hours. Will check back then.
PP :)
Asezat 0 Light Poster
Hey again. Apologies it took me so long to get back to you, been busy as hell yesterday evening and this morning :.
Anyway, I re-downloaded combofix and the file, renamed it, etc, and fired it up again. That being about 20 minutes ago, and I'm stuck at the same stage as I was before. Not sure what to do, now.
PhilliePhan 171 Central Scrutinizer Team Colleague
Hey again. Apologies it took me so long to get back to you, been busy as hell yesterday evening and this morning :.
No worries - we all have "real lives" to contend with. :)
I am going to be pretty busy with typical fall chores this weekend + watching sports (don't know if PhilliePhan would give that away across the pond....)
Let's try MBAM
-- Run your MBAM and click the Update tab.
You should at least have Database Version 3027
--Then, run the Full Scan and post me the log. Be sure to have it fix what it finds and go ahead and Reboot when it finishes.
Let's see where that leaves us. Hang in there - I think we are almost to the finish line....
Cheers :)
PP
Asezat 0 Light Poster
I did figure it was sport-related, though I didn't know know it was baseball :icon_razz:.
I can't update MBAM, it just gives me an error (code 732 (0,0)). I tried to download a new db from the link provided, but it gives me a 404 error. I'm stuck with version 2775. Should I run it anyway?
PhilliePhan 171 Central Scrutinizer Team Colleague
I did figure it was sport-related, though I didn't know know it was baseball :icon_razz:.
I can't update MBAM, it just gives me an error (code 732 (0,0)). I tried to download a new db from the link provided, but it gives me a 404 error. I'm stuck with version 2775. Should I run it anyway?
Download http://www.malwarebytes.org/mbam/database/mbam-rules.exe
Run mbam-rules.exe - I'm not sure what database it will be, but definitely more recent than 2775.
Then try MBAM and let's see what it removes.
PP :)
Asezat 0 Light Poster
Apparently "Firefox can't find the server at www.malwarebytes.org." Same result with IE, and opera.
I get the same error on my laptop.
Edited by Asezat because: Added the laptop comment.
PhilliePhan 171 Central Scrutinizer Team Colleague
Apparently "Firefox can't find the server at www.malwarebytes.org." Same result with IE, and opera.
I get the same error on my laptop.
That's a bit worrisome - you may have some malware on the lappy, too.....
See if you can access it via Majorgeeks:
http://majorgeeks.com/Malwarebytes_Anti-Malware_Database_d6025.html
PP :)
EDIT:
Maybe a run of MBAM on laptop is warranted?
Edited by PhilliePhan because: Added info
Asezat 0 Light Poster
If I try to get it off MajorGeeks, it says it can't find store.malwarebytes.org. I can only get it from download.com, which was last updated on the 10th, which I guess accounts for the old version.
I have this problem with it refusing to find the site when I try to update my MSN, it won't connect to a certain part of the microsoft site. But it lets me on web messenger, so I'm not sure what the deal is.
I ran adaware on here a few days ago, and it cleared a load of stuff out. I don't know if that helps, or not.
PhilliePhan 171 Central Scrutinizer Team Colleague
I ran adaware on here a few days ago, and it cleared a load of stuff out. I don't know if that helps, or not.
MBAM is far superior - Definitely go with that.
Some malware is blocking those sites. Used to be a simple check of the Hosts file could address this, but not so simple these days....
--- Try START > RUN > type or copy&paste:
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0
and click OK
Then, see if MBAM can update using the Update Tab.
PP :)
PhilliePhan 171 Central Scrutinizer Team Colleague
Just out of curiosity - do you have the same trouble Downloading, Updating and Running SuperAnti-Spyware?
Try that if not joy with MBAM.
I'll be back Sunday Evening.
Cheers :)
PP
Asezat 0 Light Poster
Yeah, MBAM still won't update. And I have *exactly* the same problem with superantispyware, FF won't find the server.
PhilliePhan 171 Central Scrutinizer Team Colleague
Yeah, MBAM still won't update. And I have *exactly* the same problem with superantispyware, FF won't find the server.
This sounds a lot like conficker - of course lots of other malware have done this as well. I'm surprised none of the tools we ran addressed this.
Let's check a few things:
-- Navigate to C:\WINDOWS\SYSTEM32\DRIVERS\ETC and use notepad to open the HOSTS file and post that for me.
-- At command prompt, type ipconfig /flushdns ENTER
See if that helps
-- Do you have this security update?
Security Update for Windows XP (KB958644)
You can find it in Add/Remove Programs (be sure box at top to Show Updates is checked)
Or, use the search function to find KB958644
-- Are you able to access and run this scanner:
http://onecare.live.com/site/en-us/default.htm
PP :)
Asezat 0 Light Poster
The DNS flush didn't help, unfortunately.
My hosts file contains simply "127.0.0.1 localhost".
I don't have that update, I'll pick it up shortly though. The Microsoft scanner does appear to work, though. I had it at 35% before I accidentally rebooted the machine and had to start over. Will post the results when it finishes, though.
PhilliePhan 171 Central Scrutinizer Team Colleague
The DNS flush didn't help, unfortunately.
Did you get an error message?
If not, we can try this:
START > Run >type services.msc and Stop / Disable the DNS Client service. Maybe that will help in the short term.
My hosts file contains simply "127.0.0.1 localhost".
That is what it should be.
I don't have that update, I'll pick it up shortly though. The Microsoft scanner does appear to work, though. I had it at 35% before I accidentally rebooted the machine and had to start over. Will post the results when it finishes, though.
Good - Let me know what it finds.
I probably made a mistake in assuming everybody had taken steps to remove and patch conficker . . . Should know better than that.
PP :)
Asezat 0 Light Poster
Well, it won't let me copy/paste what it found, but conficker was among the virii. It found three other trojans, a Java exploit, and a hell of a lot of performance issues which I assume aren't really what we're dealing with, so I won't mention them. Plus an open port. I'll leave the window open for now and not move on to the next step, if you want the exact info I'll try and find a way of getting it all out of there.
Regarding conficker, I should probably come clean now and admit that my housekeeping has been dreadful. I've had this computer for the best part of 5 years, it's never been reformatted, and I've only sporadically run freeware AV's, Spybot S&D and Ad-Aware. I've never really had to deal with anything like this before, though.... I've been online on multiple computers for at least a decade now and I've dealt with them all the same and never had anything like this to deal with. I guess you could call it a very rude awakening :$.
Regarding the DNS flush, no, I got no error message. Just a prompt asking me if I wanted to do it or not. It was successful on both my laptop and tower.
Edited by Asezat because: DNS flush.
PhilliePhan 171 Central Scrutinizer Team Colleague
I'll leave the window open for now and not move on to the next step, if you want the exact info I'll try and find a way of getting it all out of there.
Regarding conficker, I should probably come clean now and admit that my housekeeping has been dreadful.
As long as the baddies were removed, we are good to continue.
-- See if you can now run MBAM and update via the Update tab.
Then, run the full scan. Remove what it finds and post the log. Reboot afterwards.
I imagine you are waaay behind on patches - If MBAM updates and runs, we will probably have come to the point where you need to decide if you want to pull your data off and reformat or try to patch/update everything.
The problem here was with my plan of attack, I think. Not being able to access the machine directly led to a different approach and I didn't get to see a few crucial items regarding patches etc...
That, and a few wrong assumptions.
Anyhoo, let's try MBAM and cross our fingers :)
PP
EDIT: Probably a good idea to run that Onecare scan on Laptop.....
Edited by PhilliePhan because: Added Info
Asezat 0 Light Poster
Nope, immediate refusal to update. Same as before.
The scan said it couldn't remove a few of the virii. I know at least one of them was quarantined by combofix, and two of the others were saved in my old system restore point. I'm not sure if that's an issue or not.
I'll patch conficker now. And hey, your plan of attack has cleared out an awful lot of the bugs, so I'm not complaining :P.
I will run that scanner on my laptop in the near future.
edit: it won't let me patch conficker. Same instant refusal.
Edited by Asezat because: conficker
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.