Unknown problem (log included)

Also- do you know of any way to transfer files from my infected computer to another one (since i cant just drag and drop on to an external, for example)
 
here's the log:

by the way, do you know anyway i can get files off my infected computer? drag and drop doesnt work, and for some reason neither will copy or paste, or send to my external (it doesnt show up under the things i can choose to send to








ComboFix 09-12-22.09 - Owner 12/25/2009 22:55:12.2.2 - x86




Running from: e:\school shit\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

c:\windows\system32\eventlog.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-11-28 18:15 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 18:15 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 18:15 . 2009-11-28 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 00:36 . 2009-05-07 10:45 -------- d-----w- c:\program files\Celtx
2009-11-23 15:04 . 2009-10-29 20:28 0 ----a-r- c:\windows\win32k.sys
2009-11-08 23:59 . 2009-11-08 23:58 -------- d-----w- c:\program files\ERUNT
2009-11-08 15:36 . 2009-11-08 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-08 09:56 . 2009-10-30 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-08 09:16 . 2009-08-04 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-08 05:44 . 2009-01-05 23:04 -------- d-----w- c:\program files\McAfee
2009-11-08 05:07 . 2009-01-09 02:37 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-10-27 07:01 . 2009-10-27 07:01 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-27 07:01 . 2009-10-27 07:00 -------- d-----w- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-19 18:30 . 2009-10-25 01:28 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-10-19 18:30 . 2009-10-25 01:28 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-10-19 18:30 . 2009-10-25 01:28 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-10-19 18:30 . 2009-10-25 01:28 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-23_23.28.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-26 01:42 . 2009-12-26 01:42 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
+ 2009-11-23 23:41 . 2009-11-25 06:28 16384 c:\windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-20 148888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2008-08-04 33808]

.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1fkpfvqb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-25 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-12-25 23:11:28
ComboFix-quarantined-files.txt 2009-12-26 04:11
ComboFix2.txt 2009-11-23 23:41

Pre-Run: 56,082,120,704 bytes free
Post-Run: 56,068,370,432 bytes free

- - End Of File - - FC32C50585A527ECE18D8800CDE6986F
 
Hi monsieurchouette

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l %systemdrive%\eventlog.dll >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

Thanks peku006
 
When i did this (and i tried two or three times) a black msdos screen popped up, waited a few seconds, and then disappeared. No notepad file ever showed.
 
Hi monsieurchouette

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: 
FCopy::
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\dllcache\eventlog.dll

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006
 
Peku:

One of the problems of my system is that I cannot drag and drop, therefore, is there another way i could run combo fix with that notepad file?

Computer problems:
No drag and drop
No system restore
No internet (in fact no connections available when looking at the network connections menu)
No sound
No toolbar at the bottom
 
Hi monsieurchouette

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Code: 
    Files to move:
C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard,
    pastets4.png
    button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

Thanks peku006
 
Was able to get avenger downloaded....but anytime i attempted to run it, the icon would disappear as soon as i clicked on it. Tried renaming the file to no success either.
 
Hi monsieurchouette

RootRepeal - Rootkit Detector

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

Thanks peku006
 
You must log in or register to reply here.
Back
Top