Results 1 to 2 of 2

Thread: FirewallDisableNotify

  1. #1
    Junior Member Allie's Avatar
    Join Date
    Apr 2011
    Posts
    9

    Default FirewallDisableNotify

    First of all, I have a Windows XP operating system. The title I chose comes from one of the problems I am experiencing. I have had automatic updates disabled (and am unable to re-enable them, I'm being stopped). My firewall has been disabled, but I am allowed to re-enable it. Every time I try to open anything, I am given an "Open With..." prompt, and even when I choose the right program, my antivirus/malware programs still won't run. And my PC is running VERY slowly, though I don't have much stored on it.
    I am on a computer with multiple user profiles, and most of these problems are contained to one with the exception of Automatic Updates being disabled for all and being really slow. Which leads me to believe that even if I were to delete that user profile, the problems would not go away.

    I am not entirely sure how to pull up logs from AVG or Spybot, so I'll give what they found first.

    AVG deleted the following files:
    ...Local Settings\Application Data\bmc.exe
    ...Local Settings\TEMP\RF4N71.exe
    ...SYSTEM32\5hr4t.dll

    Spybot fixed the following problems:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

    And my MalwareBytes log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6436

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/24/2011 11:44:17 PM
    mbam-log-2011-04-24 (23-44-17).txt

    Scan type: Quick scan
    Objects scanned: 203428
    Time elapsed: 8 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 18
    Registry Values Infected: 4
    Registry Data Items Infected: 6
    Folders Infected: 2
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{137E6E5E-A205-4657-A49F-1AB865787089} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370F91F-6994-4595-9949-601FA2261C8D} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776C4DC-E894-7C06-2148-5D73CEF5F905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Value: {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Value: {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Value: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Value: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Christina Ehlers\Local Settings\Application Data\bmc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Christina Ehlers\Local Settings\Application Data\bmc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Christina Ehlers\Local Settings\Application Data\bmc.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\program files\AVGT (Rogue.AntivirusGT) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\jim ehlers\local settings\Temp\aux0jcf+.exe.part (Rogue.Installer) -> Quarantined and deleted successfully.
    c:\documents and settings\christina ehlers\local settings\Temp\0.35374869555697397.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\documents and settings\christina ehlers\local settings\Temp\0.3318852062558064.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    Thank you for taking the time to look over this. I appreciate ANY help that you may be able to give me. Thank you and have a wonderful day

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Hello Allie,

    In case you missed it please see the FAQ which also includes guidelines for this forum and instructions in post #2 on how to provide preliminary "DDS" logs used for analysis.
    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky and a volunteer analyst will advise you when available.

    Best regards.
    -----------------------------
    http://forums.spybot.info/showthread.php?t=62401
    Last edited by tashi; 2011-04-26 at 00:21. Reason: Added link to new topic
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •