Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hoping 4 some assist from one of the malware/IT Sec pro's

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hoping 4 some assist from one of the malware/IT Sec pro's

Unread postby technightmares » March 27th, 2011, 2:43 am

Just having some issues. Have reason to believe were assoc with a malware infection. Done just about everything I can think of to sort it out on my own. 3dys worth of everything I can think of. Believe I got rid of the rootkit that was on this PC. But would like to be sure.

Also while everything appears to be running normally now. The comp is sluggish and was hoping to get some feedback on poss solutions from one of you people who know wth they're doing vs. myself. Which evidently don't know nearly as much as was giving myself credit for.

Please help a guy out with an ongoing 3dy technightmare ... thanks in advance for any help.

I ran a program called combofix, ran one called GMER, done online scanners for dys. Used the XP recovery console included with combofix to do fixboot and fixmbr. Updated java, updated adobe, updated to a tougher firewall, update firefox to latest, installed microsoft security essentials.

This is the txt file combofix produced, if it helps.

ComboFix 11-03-25.01 - Angela 03/26/2011 8:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.122 [GMT -5:00]
Running from: c:\documents and settings\Angela\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Angela\Local Settings\Application Data\{C8A83DDD-9A7B-4EFD-823C-C9678D9348BC}
c:\documents and settings\Angela\Local Settings\Application Data\{C8A83DDD-9A7B-4EFD-823C-C9678D9348BC}\chrome.manifest
c:\documents and settings\Angela\Local Settings\Application Data\{C8A83DDD-9A7B-4EFD-823C-C9678D9348BC}\chrome\content\_cfg.js
c:\documents and settings\Angela\Local Settings\Application Data\{C8A83DDD-9A7B-4EFD-823C-C9678D9348BC}\chrome\content\overlay.xul
c:\documents and settings\Angela\Local Settings\Application Data\{C8A83DDD-9A7B-4EFD-823C-C9678D9348BC}\install.rdf
c:\program files\Dynamic Toolbar
c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\movies.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\music.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\news.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\radio.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg
c:\program files\Dynamic Toolbar\REALBAR\Cache\sports.bmp
c:\program files\Dynamic Toolbar\REALBAR\Cache\Thumbs.db
c:\program files\filesubmit
c:\program files\MyWay
c:\program files\MyWay\bar\History\search
c:\program files\MyWay\bar\Settings\settings.dat
c:\program files\MyWay\bar\Settings\settings.dat.bak
c:\program files\MyWay\bar\Settings\settings.htm
c:\program files\MyWay\bar\Settings\settings.htm.bak
c:\program files\MyWay\myBar\History\search
c:\program files\MyWay\myBar\Settings\prevcfg.htm
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\atsvc4sv.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.6.inf
c:\windows\system32\Temp
c:\windows\urovifukifuriz.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-26 13:11 . 2011-03-26 13:11 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D9C5B65-0AD6-48EE-B9B3-66F7ACF35D44}\MpKslf5962023.sys
2011-03-26 13:10 . 2011-03-15 02:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D9C5B65-0AD6-48EE-B9B3-66F7ACF35D44}\mpengine.dll
2011-03-26 08:32 . 2011-03-26 08:32 -------- d-----w- c:\program files\Common Files\Java
2011-03-26 03:18 . 2011-01-13 06:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-26 03:14 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-26 03:03 . 2011-03-26 03:03 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-26 00:15 . 2011-03-26 02:07 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-25 09:43 . 2011-03-25 09:43 -------- d-----w- c:\program files\Quick Web Player
2011-03-24 23:46 . 2011-03-25 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-03-24 23:46 . 2011-03-24 23:46 -------- d-----w- c:\program files\AVAST Software
2011-03-23 23:55 . 2011-03-23 23:55 -------- d-----w- c:\program files\COMODO
2011-03-23 23:54 . 2011-03-23 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-03-23 19:49 . 2011-03-25 05:01 0 ----a-w- c:\windows\Rciqozujitif.bin
2011-03-02 23:19 . 2011-03-02 23:20 -------- d-----w- c:\program files\OpenWith.org Desktop Tool
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-23 21:46 . 2010-05-07 18:32 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-02-03 02:40 . 2010-08-18 05:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-08-18 05:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-06 22:37 . 2011-01-06 22:37 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 22:37 . 2011-01-06 22:37 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 22:37 . 2011-01-06 22:37 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 22:37 . 2011-01-06 22:37 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-12-29 06:42 . 2010-12-29 06:42 285480 ----a-w- c:\windows\system32\guard32.dll
2011-03-18 17:53 . 2011-03-26 07:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"nwiz"="nwiz.exe" [2003-07-16 323584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-16 4743168]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-18 2548552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [N/A]
MediaFACE 4.01 Calibration Wizard.lnk - c:\program files\Fellowes\MediaFACE 4.0\MFPCalib.exe [N/A]
MediaFACE 4.01 Design Wizard.lnk - c:\program files\Fellowes\MediaFACE 4.0\MfRunWiz.exe [N/A]
MediaFACE 4.01 Help.lnk - c:\program files\Fellowes\MediaFACE 4.0\MediaFACE4.chm [N/A]
MediaFACE 4.01.lnk - c:\program files\Fellowes\MediaFACE 4.0\MediaFace.exe [N/A]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [N/A]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [1/6/2011 5:37 PM 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/6/2011 5:37 PM 27576]
R1 MpKslf5962023;MpKslf5962023;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D9C5B65-0AD6-48EE-B9B3-66F7ACF35D44}\MpKslf5962023.sys [3/26/2011 8:11 AM 28752]
S1 qzhjugee;qzhjugee;\??\c:\windows\system32\drivers\qzhjugee.sys --> c:\windows\system32\drivers\qzhjugee.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/27/2010 5:45 PM 229376]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF5962023
*Deregistered* - pxtdapow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-03-26 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = hxxp://www.mchsi.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Angela\Application Data\Mozilla\Firefox\Profiles\7mghta0l.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 08:46
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\guard32.dll
.
Completion time: 2011-03-26 08:50:20
ComboFix-quarantined-files.txt 2011-03-26 13:50
.
Pre-Run: 1,175,896,064 bytes free
Post-Run: 1,155,878,912 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - D8DD7047237BCF46DE6E346B4DAA0375


If someone has some time on their hands and wants some good karma pts. Would definitely appreciate the chance to be advised by someone who deals with this routinely.

Thanks much,
technightmares
Active Member
 
Posts: 3
Joined: March 27th, 2011, 2:25 am
Advertisement
Register to Remove

Re: Hoping 4 some assist from one of the malware/IT Sec pro'

Unread postby NonSuch » March 27th, 2011, 3:27 am

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a DDS log. Please follow the guideline at the link below to start a new topic and post your log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the Guideline posted here: >Guideline for posting your DDS log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware