Win32:Crypt-MIZ[Trj]

[Brickstin]

Hi,

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
  
• If nothing unusual is found just press Enter[/i]
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
• Please post the contents of that file.

ok do I pres Yes? Because it found something unusual in the Master boot records. on three drives


Update:
 Never mind I miss read what you said. Here is the log file.

Also the MBR on the Seagate model thats a 300GB drive.. Thats the only one that is completely unknown to me. I used a program called Bootice.exe

I checked my infected C Drive and the master boot record is IBM F11

The 80 WD800JB EIDE is a Windows NT 5.x Default MBR

the G: Drive is my storage drive it's MBR Is fully unknown to me.. .

The attached log is there.

Just a note.. I had to re upload the attachment because I uploaded a scan when I was scanning another drive I had attached with a USB device. I removed that and did another scan with the program. So if you already read the first txt file disregard that one and use the new updated one I just re uploaded.

[jeffce]

if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.

[Brickstin]

if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.

LOL sorry Jeff I was uploading the stuff and changing my original post. I got it now thank you for the help. The correct attachment is on my previous post before yours.

[jeffce]

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

[Brickstin]

Ok got the scan done.. took nearly a hour but it's done Check attachment.

Thank you in advance.

[jeffce]

Hi,

Any particular reason that you have not updated Windows XP to Service Pack 3? 

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www

Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Brickstin]

Hi,

Any particular reason that you have not updated Windows XP to Service Pack 3? 

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www

Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

I never up'ed to SP3 because some of my programs became unstable. Not to mention the OS seemed to run a little harder... .I don't know why.. so instead of going SP3 I just get all the other updates. Because SP3 is basically a newer version of explorer.exe and other system files but the updates covers most of them.. Just missing some parts of other security features in SP3 are made up with my avast. I could try SP3 again.. To see how it would work again but I can't quite entirely remember how it worked with my current configuration.

Here is the attached new log from Combofix with the custom script dragged into the executable.

[jeffce]

Hi,

We definitely need to update, but we will do that after we get your system more stable.  It is very important to keep your Windows operating system up to date...if not, the older software are just waiting to be infected along with the rest of your system.
-----------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Brickstin]

Hi,

We definitely need to update, but we will do that after we get your system more stable.  It is very important to keep your Windows operating system up to date...if not, the older software are just waiting to be infected along with the rest of your system.
-----------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

ok Got it  :)

[jeffce]

Hi,

P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)

[Brickstin]

Hi,

P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)

I realize the majority of the dangers of P2P software and despite that i use a legit Utorrent software, I do everything with the knowledge I have to ensure I don't get wares from such p2p software.. I have only once downloaded something with uTorrent that was a fake and my avast detected it and aborted the connection. I'm thankful enough to such anti viral software such as avast.

But Limewire.. was another p2p that I uninstalled a year ago.. There is no program file information on it on this drive.. I checked my remove programs and files list.. in windows.. and I don't see an uninstall shield for Limewire... I Don't understand why it's still present somehow on my PC.. perhaps the uninstaller didn't remove keys from the registry hives?.. Is there any way to get rid of the rest of limewire? ..

One thing that really shocks me is that.. There is some legit software from Avanquest.. That is being found bad on the ESET scanner... Which really has me nervous now.. I paid a lot of money for that software.. and it's bad?

Take a look at the scanner.. And also the malwarebytes scanner picked upa PUM mod for my start menue for log off... Why would it be doing that? No matter how many times I remove it.. it comes back.. and i noticed when I select to get rid of the malware my Log off button in the start menue vanishes.. so I have to config the Menu bar to bring it back.. Then when I scan again.. Malwarebytes detects the same PUM again.. Is this a false positive? or is there something in the registry that is maliciously coded by an unknown infection that not even avast can detect? It just started happening after a Malwarebytes update just five months ago..



P.S : I traced the the origin of the infection that got onto my computer.. it was via Firefox due to the fact that each separate profile on Windows XP ... has it's own cache and profile set up in Firefox for each Windows Logon user.. In the documents and settings folder under  Guest.. there was an infection detected originally in the cache and temp files that came from Firefox.. That was neutralized via Avast and Malwarebytes scans.
I know also am 100% it was due to the guest account because it was the first detection that Avast found when a guest came to my computer to use it. It wasnt on my account or any other account in Windows XP.

[jeffce]

Hi,

Rerun Malwarebytes and remove that entry and attach the new log. 

[Brickstin]

Hi,

Rerun Malwarebytes and remove that entry and attach the new log. 

ok.. I have noticed.. that right after I did that ESET Scanner online.. Scan.. My PC has been really getting slow bad now. I don't know why..

Another thing.. During startup I see the select operating system configurations start up in the Boot.ini ... Now I have a selection  for Windows XP Professional and then " C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons"   ,,,, then another for do not select this" /debug . .. .

When this process fix is done.. Will the Debug selection disappear and be uninstalled from my computer?



Removed the logoff PUM and all is clear now.

[jeffce]

Hi,

So when is you system getting slow again?  Is it just when working with programs on your system or while on the internet?  Let me know exactly what you are experiencing.

The entries that you see on startup are normal since we added the Recovery Console. 

[Brickstin]

Hi,

So when is you system getting slow again?  Is it just when working with programs on your system or while on the internet?  Let me know exactly what you are experiencing.

The entries that you see on start up are normal since we added the Recovery Console. 

It just got slow for about 39 mins.. It's ok now.. I think. .It doesn't seem really slow anymore.. Anyways that was the final log.. Is there anything else that needs to be done? and that Debug. ... theres two.. theres the Recovery console.. and then there's a different one called "UnsupportedDebug="do not select this" /debug"    It's a different selection.

What is the next step after this? Awaiting instructions.

Thanks in advance.

It was both.. Not the internet connection it self: the internet speeds are fine.. It firefox.. and among other programs too even windows explorer.exe And when I'm working with other programs too.. It did it earlier today... In the morning.. But now it's not doing it: i haven't noticed any lag in the actual operating system now..