Ran ComboFix, virus still remains - DFWstangs Forums
 
LinkBack Thread Tools Display Modes
post #1 of 10 (permalink) Old 10-25-2009, 01:11 PM Thread Starter
Sports weenie @ full attn
 
ZYouL8R's Avatar
 
Join Date: Dec 2002
Location: Laughlin AFB
Posts: 5,638
Ran ComboFix, virus still remains

A couple months ago I was having a problem with a Trojan on my laptop, that was giving me the BSOD, not allowing me to run most programs, and doing all kinds of other weird shit. I created this thread https://www.dfwstangs.net/forums/show...ghlight=skynet and did pretty much everything suggested.

I've run Malwarebytes, Spybot, Avira, and others probably 50+ times and even though they would find and remove infected files, the virus would not completely go away. I created an XP SP3 CD and repaired Windows, which got rid of the BSOD problems, but the virus still remains. I then ran ComboFix according to the instructions posted online, but the virus is still not dead. Here is my ComboFix log if anyone can decipher it:

ComboFix 09-10-04.01 - Danny 10/04/2009 15:07.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1569 [GMT -5:00]
Running from: c:\documents and settings\Danny\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Install.txt
c:\windows\TEMP\mta96809.dll
.
---- Previous Run -------
.
c:\documents and settings\Danny\My Documents\ZbThumbnail.info
c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Shared
c:\program files\Shared\lib.sig
c:\windows\Install.txt
c:\windows\Installer\64266.msi
c:\windows\Installer\c7c4418.msi
c:\windows\Installer\c7c4419.msp
c:\windows\Installer\c7c441a.msp
c:\windows\Installer\c7c441b.msp
c:\windows\Installer\c7c441c.msp
c:\windows\Installer\c7c441d.msp
c:\windows\Installer\c7c441e.msp
c:\windows\Installer\c7c441f.msp
c:\windows\Installer\c7c4420.msp
c:\windows\Installer\c7c4421.msp
c:\windows\system32\6to4v32.dll
c:\windows\system32\bszip.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\SKYNETeudjnlou.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\system32\regedit32.exe
c:\windows\system32\SKYNETbqjesdpx.dll
c:\windows\system32\SKYNETlkaibrkc.dll
c:\windows\system32\SKYNETrmqlxhba.dll
c:\windows\system32\SKYNETxvjbabuh.dat
c:\windows\system32\SKYNETxymtnqlr.dat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\TEMP\mta118698.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETgkvyxujy
-------\Legacy_SKYNETgkvyxujy
-------\Legacy_6TO4
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_BACKGROUND_SWITCH
-------\Service_6to4
-------\Service_BackGround switch


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-09-18 03:42 . 2009-09-18 03:42 2198 ----a-w- C:\Dqh9qZ.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-04 18:09 . 2009-08-15 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 18:00 . 2008-08-15 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-25 20:05 . 2007-10-19 01:42 29941 ----a-w- c:\windows\system32\nvModes.dat
2009-08-24 23:21 . 2004-08-11 22:12 24940 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-15 18:00 . 2004-08-11 22:00 6656 ----a-w- c:\windows\system32\lpcio.dll
2009-08-15 15:55 . 2009-08-14 22:23 -------- d-----w- c:\program files\CPUID
2009-08-15 05:41 . 2009-08-15 05:39 33961728 ----a-w- c:\program files\avira_antivir_personal_en.exe
2009-08-15 05:28 . 2009-08-15 05:29 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-15 04:46 . 2009-08-15 04:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-15 04:38 . 2009-08-15 04:38 16409960 ----a-w- c:\program files\spybotsd162.exe
2009-08-14 22:23 . 2009-08-14 22:23 1093088 ----a-w- c:\program files\HWMonitorPro_106_setup.exe
2009-08-11 17:17 . 2009-08-10 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 16:32 . 2009-08-10 16:32 -------- d-----w- c:\documents and settings\Danny\Application Data\Malwarebytes
2009-08-10 16:32 . 2009-08-10 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 18:36 . 2009-08-10 16:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-08-10 16:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 21:33 . 2009-08-15 05:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-04-29 03:20 . 2009-04-29 03:20 430721 ----a-w- c:\program files\HWMonitor_113.zip
2008-06-09 21:56 . 2008-06-09 21:56 10117164 ----a-w- c:\program files\CCAAgent_Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Danny^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Danny\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1194846858\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 5:00 AM 94720]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 5:00 AM 5120]
S0 fih3c05;fih3c05;\SystemRoot\\SystemRoot\System32\d rivers\fih3c05.sys --> \SystemRoot\\SystemRoot\System32\drivers\fih3c05.s ys [?]
S1 10e4ca3c.sys;10e4ca3c.sys;\??\c:\windows\System32\ drivers\10e4ca3c.sys --> c:\windows\System32\drivers\10e4ca3c.sys [?]
S2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S2 gupdate1c9bd789a4f2c98;Google Update Service (gupdate1c9bd789a4f2c98);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2009 10:16 PM 133104]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz13 2_x32.sys [8/14/2009 5:23 PM 12672]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.s ys [11/2/2006 12:32 PM 97536]
S3 isasdk;isasdk;c:\windows\system32\isasdk.sys [8/4/2004 5:00 AM 2304]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\dr ivers\mbamswissarmy.sys [8/10/2009 11:32 AM 38160]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [3/8/2008 2:37 PM 58240]
S4 Spsdisunc;Spsdisunc;c:\windows\system32\drivers\ip fltdrv.sys [8/4/2004 5:00 AM 32896]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 03:16]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\1vogykom.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - plugin: c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\1vogykom.default\ext ensions\[email protected]\platform\WINNT _x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\opeia.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\lsm32.sys
.
************************************************** ************************
.
Completion time: 2009-10-04 15:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 20:17

Pre-Run: 82,325,872,640 bytes free
Post-Run: 82,293,710,848 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
293 --- E O F --- 2009-08-14 01:38


So, where do I go from here? I will happily Paypal someone some cash if they can help me fix this damn thing.

ZYouL8R is offline  
Sponsored Links
Advertisement
 
post #2 of 10 (permalink) Old 10-25-2009, 01:49 PM Thread Starter
Sports weenie @ full attn
 
ZYouL8R's Avatar
 
Join Date: Dec 2002
Location: Laughlin AFB
Posts: 5,638
Latest Malwarebyes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2907
Windows 5.1.2600 Service Pack 3

10/25/2009 1: 01:25 PM
mbam-log-2009-10-25 (13-01-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 226403
Time elapsed: 35 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000400.sys (Worm.Agent) -> Quarantined and deleted successfully.

ZYouL8R is offline  
post #3 of 10 (permalink) Old 10-25-2009, 05:25 PM
Googlist-Wikipedian
 
Hunt4m3x's Avatar
 
Join Date: Jul 2002
Location: de_aztec
Posts: 4,814
did you use bitdefender virus bootable cd?

2005 Infiniti G35 Sedan Ivory Pearl Premium

2006 Infiniti FX45 Liquid Platinum

2010 Polaris Ranger RZR S Orange Madness







Ban count: 2
Hunt4m3x is offline  
 
post #4 of 10 (permalink) Old 10-25-2009, 07:22 PM Thread Starter
Sports weenie @ full attn
 
ZYouL8R's Avatar
 
Join Date: Dec 2002
Location: Laughlin AFB
Posts: 5,638
Quote:
Originally Posted by Hunt4m3x View Post
did you use bitdefender virus bootable cd?
Yep, that was one of the first things I tried. It couldn't find ANY infected files, where Malwarebytes found 20-30.

ZYouL8R is offline  
post #5 of 10 (permalink) Old 10-25-2009, 07:47 PM
Rockin' da fumanchu
 
Join Date: Nov 2005
Location: On the straight and narrow,stumbling at best, only by Gods grace.
Posts: 7,224
DL HiJack This, run a scan and save the log file. Go here,register and start a thread w/ you HJT log, Combofix log, MBAm log as well.

Also, do you have the first MBAM log? If so, post it, I'd like to see what it found.





Listen to my buddy, Jeff Bolton, from 6-9 AM Mon-Fri.

Obamanomics = Trickle Up Poverty

Think you need to format/reinstall your OS(XP), read this first.
Tx Redneck is offline  
post #6 of 10 (permalink) Old 10-25-2009, 08:23 PM Thread Starter
Sports weenie @ full attn
 
ZYouL8R's Avatar
 
Join Date: Dec 2002
Location: Laughlin AFB
Posts: 5,638
Quote:
Originally Posted by Tx Redneck View Post
DL HiJack This, run a scan and save the log file. Go here,register and start a thread w/ you HJT log, Combofix log, MBAm log as well.

Also, do you have the first MBAM log? If so, post it, I'd like to see what it found.
Here's one of my first MBAM logs:

Malwarebytes' Anti-Malware 1.40
Database version: 2591
Windows 5.1.2600 Service Pack 3

8/10/2009 10:53:40 PM
mbam-log-2009-08-10 (22-53-40).txt

Scan type: Quick Scan
Objects scanned: 122657
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Not selected for removal.
HKEY_CLASSES_ROOT\CLSID\{2c34a7ea-0e51-43d8-9956-4a73a630a965} (Trojan.Downloader) -> Not selected for removal.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Not selected for removal.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\activedesktop\NoChangingWallpa per (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Not selected for removal.
C:\WINDOWS\system32\winupdate.exe (Rogue.AdvancedVirusRemover) -> Not selected for removal.
C:\WINDOWS\Temp\rdlB04.tmp.exe (Rogue.AdvancedVirusRemover) -> Not selected for removal.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Not selected for removal.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Not selected for removal.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Not selected for removal.
C:\WINDOWS\system32\AVR09.exe (Adware.AdvancedVirusRemover) -> Not selected for removal.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Not selected for removal.
C:\WINDOWS\system32\dsound3dd.dll (Trojan.Downloader) -> Not selected for removal.
C:\WINDOWS\system32\logon.exe (Backdoor.Bot) -> Not selected for removal.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Not selected for removal.

ZYouL8R is offline  
post #7 of 10 (permalink) Old 10-25-2009, 08:47 PM
Very Interesting
 
The Big Matt's Avatar
 
Join Date: Mar 2000
Location: Around the World
Posts: 9,856
you're infected with Advanced Virus Remover 2009 (the new version) on there, it's a bitch.

Try this method:

reboot in safe mode (if possible)
delete all of the files listed above under "Files Infected:"

Remove any Registry entries that are associated, i.e:
HKCU\Software\AVR or AntiVirus, or any of those
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - remove any virus remover, antivirus, etc that doesn't look normal

Once that's done, reboot, and run malware bytes, etc again.

You're only as strong as you allow yourself to be...

Lockout Workout Forums and Supplements
The Big Matt is offline  
post #8 of 10 (permalink) Old 10-25-2009, 09:31 PM
dead
 
Join Date: Sep 2002
Posts: 14,611
back up then format
momo stallion is offline  
post #9 of 10 (permalink) Old 10-25-2009, 10:15 PM
Rockin' da fumanchu
 
Join Date: Nov 2005
Location: On the straight and narrow,stumbling at best, only by Gods grace.
Posts: 7,224
Quote:
Originally Posted by momo stallion View Post
back up then format
QUITTER!

IMHO, your best chance @ a clean machine is HJT over at www.forums.pcpitstop.com Their HJT advisors are awesome. There's very few infections I've seen them say that a format is the only way, of which you don't have.





Listen to my buddy, Jeff Bolton, from 6-9 AM Mon-Fri.

Obamanomics = Trickle Up Poverty

Think you need to format/reinstall your OS(XP), read this first.
Tx Redneck is offline  
post #10 of 10 (permalink) Old 10-25-2009, 11:59 PM
Googlist-Wikipedian
 
Hunt4m3x's Avatar
 
Join Date: Jul 2002
Location: de_aztec
Posts: 4,814
Did you download updates when you ran the bitdefender?>

2005 Infiniti G35 Sedan Ivory Pearl Premium

2006 Infiniti FX45 Liquid Platinum

2010 Polaris Ranger RZR S Orange Madness







Ban count: 2
Hunt4m3x is offline  
Sponsored Links
Advertisement
 
Reply

Bookmarks

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the DFWstangs Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome