Help
This topic is locked
F12 gives me
*SATA0-SAMSUNG HD083GJ
*Onboard or USB CD-ROM Drive
*System Setup
*Diagnostics
*Intel ® Management Engine BIOS Extension (MEBx)
F6 gives me
Microsoft Windows Recovery Console (which I could not get to start)
do not select this [debugger enabled]
Microsoft Windows XP Professional
For troubleshooting and advanced startup options for windows, press F8
F8 gives me
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable VGA Mode
Last know good configuration (your most recent settings that worked)
Director Services Restore Mode (windows domain controllers only)
Debugging Mode
Disable automatic restart on system failure
Start windows normally
Reboot
Return to OS choices Menu (puts me back at the F12 stuff above)
F2 puts me into something called Setup with the following list
Settings
General
System Board
Date /Time
Boot Sequence
Drives
System Configuration
Video
Performance
Virtualization Support
Security
Power Management
Maintenance
ImageServer
Post Behavior
System Logs
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
infected wtih TDSS Got rid of the System Fix virus, but TDSS killer didn't run
Back to top
#62
- Bleepin' Fireman
-
- Group: Malware Response Team
- Posts: 8,316
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted 27 December 2011 - 04:51 PM
We are just about out of options here.
lets try installing a recovery console with Combofix then see if you can boot into it.
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. It would be Windows Profesional SP2 since there is no SP3
Download the file & save it as it's originally named.
---------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Please post the C:\ComboFix.txt and new HiJAckThis log in your next reply.
lets try installing a recovery console with Combofix then see if you can boot into it.
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. It would be Windows Profesional SP2 since there is no SP3
Download the file & save it as it's originally named.
---------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt and new HiJAckThis log in your next reply.
" Extinguishing Malware from the world"
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
#63
- Member
-
- Group: Members
- Posts: 36
- Joined: 22-November 11
Posted 28 December 2011 - 10:57 AM
Loaded windows xp sp3 onto combofix, combofix started, then told me it needed to update, clicked ok, combofix started again, got screen for end users agreement, clicked ok. Never got screen about recovery console being successfully installed. Combofix ran and created log. Log was too big to paste in or to attach, so I deleted most of "snapshot", rest is copied below.
Did not see HJackThis log on desktop, or at C:\Combofix file.
Now that combofix has updated, should I start over by moving xp sp3 into combofix again?
ComboFix 11-12-28.03 - AndrewMarani 12/28/2011 9:42.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1996.1230 [GMT -5:00]
Running from: c:\documents and settings\andrewmarani.ARMDOM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\andrewmarani.ARMDOM\My Documents\Downloads\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU(1).exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\system32\dllcache\i8042prt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 15:13 . 2008-04-14 05:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-12-28 15:13 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\AltiGen
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-12-28 12:52 . 2011-12-28 12:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2011-12-27 13:56 . 2011-12-27 14:00 -------- d-----w- C:\FRST
2011-12-19 12:54 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-19 12:52 . 2008-04-14 12:00 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2011-12-19 12:51 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-12-19 12:50 . 2008-04-14 05:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2011-12-19 12:49 . 2001-08-17 17:12 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2011-12-19 12:48 . 2001-08-18 03:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2011-12-19 12:47 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-12-19 12:46 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-12-19 12:45 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-12-19 12:44 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-12-19 12:43 . 2008-04-14 12:00 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2011-12-19 12:42 . 2001-08-18 03:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-12-19 12:41 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-12-19 12:40 . 2001-08-17 17:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2011-12-19 12:39 . 2008-04-14 05:16 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2011-12-12 23:55 . 2011-12-14 00:08 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-12-12 23:54 . 2011-07-12 15:59 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-12-12 23:54 . 2011-12-12 23:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-12 23:54 . 2011-12-12 23:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-12 22:55 . 2011-12-12 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-12 22:55 . 2011-12-12 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-12 22:47 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-12 22:44 . 2011-12-12 22:44 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-12 22:31 . 2011-12-12 22:31 -------- d-sh--w- c:\documents and settings\andrewmarani.ARMDOM\PrivacIE
2011-12-12 22:28 . 2011-12-12 22:28 -------- d-sh--w- c:\documents and settings\andrewmarani.ARMDOM\IETldCache
2011-12-12 22:28 . 2011-12-12 22:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-12 22:20 . 2011-12-12 22:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-12 22:20 . 2011-12-12 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-12 22:17 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-12-12 22:17 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-12-12 22:17 . 2011-11-04 19:20 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-12 22:17 . 2011-11-04 19:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-12 22:17 . 2011-11-04 19:20 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-12-12 22:17 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-12 22:17 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-12 22:17 . 2011-11-04 19:20 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-12-12 22:16 . 2011-12-12 22:17 -------- dc-h--w- c:\windows\ie8
2011-12-12 22:13 . 2011-12-15 08:01 -------- d--h--w- c:\windows\$hf_mig$
2011-12-08 13:56 . 2011-12-08 13:56 -------- d-----w- c:\documents and settings\andrewmarani.ARMDOM\Application Data\Roxio
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-18 11:13 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-05 06:53 . 2011-11-09 12:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-02_14.30.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2011-12-28 15:17 . 2011-12-28 15:17 16384 c:\windows\Temp\Perflib_Perfdata_3d8.dat
- 2008-04-25 16:16 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2008-04-25 16:16 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
+ 2011-12-19 12:39 . 2001-08-17 19:55 38400 c:\windows\system32\dllcache\8514a.dll
+ 2011-12-19 12:39 . 2008-04-14 05:10 12288 c:\windows\system32\dllcache\4mmdat.sys
+ 2011-12-19 12:39 . 2001-08-17 19:06 11264 c:\windows\system32\dllcache\1394vdbg.sys
+ 2008-04-25 16:16 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2009-04-09 18:09 . 2011-12-27 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 18:09 . 2009-04-18 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 18:09 . 2009-04-18 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-09 18:09 . 2011-12-27 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-12 23:58 . 2011-12-27 13:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-12 15:59 . 2011-07-12 15:59 89600 c:\windows\system32\atl71.dll
+ 2008-04-25 16:16 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2011-12-12 23:55 . 2011-12-12 23:55 21446 c:\windows\Installer\{3C1AE512-3C37-44FA-BA42-ABB721EC5B1D}\ARPPRODUCTICON.exe
+ 2011-12-12 22:17 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2011-12-12 22:17 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2011-12-12 22:17 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-12-12 22:17 . 2009-03-08 09:31 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-12-12 22:17 . 2009-03-08 09:34 43008 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-12-12 22:16 . 2011-09-05 13:56 37888 c:\windows\ie8\url.dll
+ 2011-12-12 22:16 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 39424 c:\windows\ie8\pngfilt.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 96256 c:\windows\ie8\occache.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 56832 c:\windows\ie8\mshtmler.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 29184 c:\windows\ie8\mshta.exe
+ 2011-12-12 22:16 . 2008-04-14 12:00 22016 c:\windows\ie8\licmgr10.dll
+ 2009-03-08 09:39 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll
+ 2008-04-25 16:16 . 2005-02-14 07:00 13107200 c:\windows\system32\dllcache\oembios.bin
+ 2011-12-19 12:44 . 2008-04-14 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
+ 2011-12-19 12:44 . 2008-04-14 12:00 13463552 c:\windows\system32\dllcache\hwxjpn.dll
+ 2011-12-19 12:43 . 2008-04-14 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
+ 2011-12-12 23:54 . 2011-12-12 23:54 15684608 c:\windows\Installer\2b8418.msi
+ 2011-12-12 22:17 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
+ 2011-12-15 08:01 . 2011-08-23 22:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-07-12 115560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-28 221247]
MaxCommunicator.lnk - c:\program files\Altigen\MaxCommunicator\MaxCommunicator.exe [2009-10-23 2306048]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\java.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/27/2009 12:22 AM 24064]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2011 5:47 PM 366152]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/27/2009 12:22 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/19/2011 3:00 PM 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2011 5:47 PM 22216]
S2 gupdate1c9d00df1b131e6;Google Update Service (gupdate1c9d00df1b131e6);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/12/2011 10:59 AM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
UnknownUnknown dsload;dsload; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - dsgrab_01cb87ffb11b77ee
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 05:04]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.audiokarma.org/forums/login.php?a=pwd&u=80121&i=56535ea2a813af004c63730b6e67ead86293173e
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.42.3
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
FF - ProfilePath - c:\documents and settings\andrewmarani.ARMDOM\Application Data\Mozilla\Firefox\Profiles\ilcp2wb0.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-JoinMe - c:\documents and settings\andrewmarani.ARMDOM\Local Settings\Application Data\join.me\join.me.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 10:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1408)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2011-12-28 10:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 15:34
ComboFix2.txt 2011-12-02 14:44
ComboFix3.txt 2011-11-25 14:12
.
Pre-Run: 47,535,104,000 bytes free
Post-Run: 48,271,351,808 bytes free
.
- - End Of File - - 2CB60892B19F802DDFCBF99924F6EEA9
Did not see HJackThis log on desktop, or at C:\Combofix file.
Now that combofix has updated, should I start over by moving xp sp3 into combofix again?
ComboFix 11-12-28.03 - AndrewMarani 12/28/2011 9:42.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1996.1230 [GMT -5:00]
Running from: c:\documents and settings\andrewmarani.ARMDOM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\andrewmarani.ARMDOM\My Documents\Downloads\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU(1).exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\system32\dllcache\i8042prt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 15:13 . 2008-04-14 05:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-12-28 15:13 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\AltiGen
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-12-28 12:53 . 2011-12-28 12:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-12-28 12:52 . 2011-12-28 12:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2011-12-27 13:56 . 2011-12-27 14:00 -------- d-----w- C:\FRST
2011-12-19 12:54 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-19 12:52 . 2008-04-14 12:00 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2011-12-19 12:51 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-12-19 12:50 . 2008-04-14 05:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2011-12-19 12:49 . 2001-08-17 17:12 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2011-12-19 12:48 . 2001-08-18 03:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2011-12-19 12:47 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-12-19 12:46 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-12-19 12:45 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-12-19 12:44 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-12-19 12:43 . 2008-04-14 12:00 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2011-12-19 12:42 . 2001-08-18 03:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-12-19 12:41 . 2001-08-17 17:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-12-19 12:40 . 2001-08-17 17:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2011-12-19 12:39 . 2008-04-14 05:16 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2011-12-12 23:55 . 2011-12-14 00:08 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2011-12-12 23:54 . 2011-07-12 15:59 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2011-12-12 23:54 . 2011-12-12 23:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-12 23:54 . 2011-12-12 23:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-12 22:55 . 2011-12-12 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-12 22:55 . 2011-12-12 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-12 22:47 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-12 22:44 . 2011-12-12 22:44 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-12 22:31 . 2011-12-12 22:31 -------- d-sh--w- c:\documents and settings\andrewmarani.ARMDOM\PrivacIE
2011-12-12 22:28 . 2011-12-12 22:28 -------- d-sh--w- c:\documents and settings\andrewmarani.ARMDOM\IETldCache
2011-12-12 22:28 . 2011-12-12 22:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-12 22:20 . 2011-12-12 22:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-12 22:20 . 2011-12-12 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-12 22:17 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-12-12 22:17 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-12-12 22:17 . 2011-11-04 19:20 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-12 22:17 . 2011-11-04 19:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-12 22:17 . 2011-11-04 19:20 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-12-12 22:17 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-12 22:17 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-12 22:17 . 2011-11-04 19:20 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-12-12 22:16 . 2011-12-12 22:17 -------- dc-h--w- c:\windows\ie8
2011-12-12 22:13 . 2011-12-15 08:01 -------- d--h--w- c:\windows\$hf_mig$
2011-12-08 13:56 . 2011-12-08 13:56 -------- d-----w- c:\documents and settings\andrewmarani.ARMDOM\Application Data\Roxio
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-25 16:16 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-18 11:13 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-05 06:53 . 2011-11-09 12:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-02_14.30.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2011-07-12 15:59 . 2011-07-12 15:59 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-02 04:08 . 2006-12-02 04:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2011-12-28 15:17 . 2011-12-28 15:17 16384 c:\windows\Temp\Perflib_Perfdata_3d8.dat
- 2008-04-25 16:16 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2008-04-25 16:16 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
+ 2011-12-19 12:39 . 2001-08-17 19:55 38400 c:\windows\system32\dllcache\8514a.dll
+ 2011-12-19 12:39 . 2008-04-14 05:10 12288 c:\windows\system32\dllcache\4mmdat.sys
+ 2011-12-19 12:39 . 2001-08-17 19:06 11264 c:\windows\system32\dllcache\1394vdbg.sys
+ 2008-04-25 16:16 . 2009-03-08 09:33 18944 c:\windows\system32\corpol.dll
+ 2009-04-09 18:09 . 2011-12-27 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 18:09 . 2009-04-18 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 18:09 . 2009-04-18 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-09 18:09 . 2011-12-27 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-12 23:58 . 2011-12-27 13:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-12 15:59 . 2011-07-12 15:59 89600 c:\windows\system32\atl71.dll
+ 2008-04-25 16:16 . 2009-03-08 09:32 72704 c:\windows\system32\admparse.dll
+ 2011-12-12 23:55 . 2011-12-12 23:55 21446 c:\windows\Installer\{3C1AE512-3C37-44FA-BA42-ABB721EC5B1D}\ARPPRODUCTICON.exe
+ 2011-12-12 22:17 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2011-12-12 22:17 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2011-12-12 22:17 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-15 08:01 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-12-12 22:17 . 2009-03-08 09:31 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-12-12 22:17 . 2009-03-08 09:34 43008 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-12-12 22:16 . 2011-09-05 13:56 37888 c:\windows\ie8\url.dll
+ 2011-12-12 22:16 . 2009-03-08 19:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 39424 c:\windows\ie8\pngfilt.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 96256 c:\windows\ie8\occache.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 56832 c:\windows\ie8\mshtmler.dll
+ 2011-12-12 22:16 . 2008-04-14 12:00 29184 c:\windows\ie8\mshta.exe
+ 2011-12-12 22:16 . 2008-04-14 12:00 22016 c:\windows\ie8\licmgr10.dll
+ 2009-03-08 09:39 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll
+ 2008-04-25 16:16 . 2005-02-14 07:00 13107200 c:\windows\system32\dllcache\oembios.bin
+ 2011-12-19 12:44 . 2008-04-14 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
+ 2011-12-19 12:44 . 2008-04-14 12:00 13463552 c:\windows\system32\dllcache\hwxjpn.dll
+ 2011-12-19 12:43 . 2008-04-14 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
+ 2011-12-12 23:54 . 2011-12-12 23:54 15684608 c:\windows\Installer\2b8418.msi
+ 2011-12-12 22:17 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
+ 2011-12-15 08:01 . 2011-08-23 22:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
+ 2011-12-12 22:17 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-07-12 115560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-28 221247]
MaxCommunicator.lnk - c:\program files\Altigen\MaxCommunicator\MaxCommunicator.exe [2009-10-23 2306048]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\java.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/27/2009 12:22 AM 24064]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2011 5:47 PM 366152]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/27/2009 12:22 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/19/2011 3:00 PM 106104]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2011 5:47 PM 22216]
S2 gupdate1c9d00df1b131e6;Google Update Service (gupdate1c9d00df1b131e6);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/12/2011 10:59 AM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
UnknownUnknown dsload;dsload; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - dsgrab_01cb87ffb11b77ee
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 05:04]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.audiokarma.org/forums/login.php?a=pwd&u=80121&i=56535ea2a813af004c63730b6e67ead86293173e
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.42.3
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
FF - ProfilePath - c:\documents and settings\andrewmarani.ARMDOM\Application Data\Mozilla\Firefox\Profiles\ilcp2wb0.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-JoinMe - c:\documents and settings\andrewmarani.ARMDOM\Local Settings\Application Data\join.me\join.me.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 10:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1408)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2011-12-28 10:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 15:34
ComboFix2.txt 2011-12-02 14:44
ComboFix3.txt 2011-11-25 14:12
.
Pre-Run: 47,535,104,000 bytes free
Post-Run: 48,271,351,808 bytes free
.
- - End Of File - - 2CB60892B19F802DDFCBF99924F6EEA9
#64
- Bleepin' Fireman
-
- Group: Malware Response Team
- Posts: 8,316
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted 28 December 2011 - 05:09 PM
See if you can get into recovery console now?
" Extinguishing Malware from the world"
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
#65
- Member
-
- Group: Members
- Posts: 36
- Joined: 22-November 11
Posted 29 December 2011 - 01:21 PM
Still could not run Console. Spent some time looking up info on line and found out how to delete the console. Deleted it, then dumped XP sp3 into ComboFix. This time I got the note about successfully installing the console. Restarted computer and selected Windows recovery console, but console still hung up when it was starting.
Is something is blocking the console? Would have to be something really early in the boot sequence. Could fix the MBR using MBRWork again, but doesn't that get re-corrupted each time I boot up?
I have tried to start the console from the XP CD ROM but never seem to be able to get the choice to go to the recovery console when booting from the cd. Pressing R (per the microsoft support site) when setup begins does not seem to work, but their directions get vague at that point so I'm not sure what I'm looking for.
Is something is blocking the console? Would have to be something really early in the boot sequence. Could fix the MBR using MBRWork again, but doesn't that get re-corrupted each time I boot up?
I have tried to start the console from the XP CD ROM but never seem to be able to get the choice to go to the recovery console when booting from the cd. Pressing R (per the microsoft support site) when setup begins does not seem to work, but their directions get vague at that point so I'm not sure what I'm looking for.
#66
- Member
-
- Group: Members
- Posts: 36
- Joined: 22-November 11
Posted 29 December 2011 - 01:35 PM
If I let the CD run without pressing any buttons it goes to a "Windows Setup" blue screen, loads stuff then stops with the message "The file isapnp.sys is corrupted. Press any key to continue". Pressing any key restarts the computer. So I may not get far enough into the setup process to get to the recovery console.
#67
- Bleepin' Fireman
-
- Group: Malware Response Team
- Posts: 8,316
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted 29 December 2011 - 07:23 PM
Hello,
Well we have a problem. The fact is the MBR doesn't get reinfected. This type of infection make another partition on your hard drive and boots off of it. So without being able to Use the Recovery Console and/or Xpud and/o rPuppy linux we cannot change which partition to boot from. Then erase that partition. All this has to be done outside of Windows operating system. The only option there is Reformatt and reinstall the system.
This may be it finding a bad file and fixing before it boots in to Recovery Console or gives you other options. I'm not for sure on the this. It may do a complete reinstall.
Here is a link to the discussion of the infection we are dealing with it is the newest and most dangerous.
http://blog.eset.com/2011/10/18/tdl4-rebooted
Are you getting to this screen?
Well we have a problem. The fact is the MBR doesn't get reinfected. This type of infection make another partition on your hard drive and boots off of it. So without being able to Use the Recovery Console and/or Xpud and/o rPuppy linux we cannot change which partition to boot from. Then erase that partition. All this has to be done outside of Windows operating system. The only option there is Reformatt and reinstall the system.
Quote
"The file isapnp.sys is corrupted. Press any key to continue". Pressing any key restarts the computer. So I may not get far enough into the setup process to get to the recovery console.
This may be it finding a bad file and fixing before it boots in to Recovery Console or gives you other options. I'm not for sure on the this. It may do a complete reinstall.
Here is a link to the discussion of the infection we are dealing with it is the newest and most dangerous.
http://blog.eset.com/2011/10/18/tdl4-rebooted
Are you getting to this screen?
This post has been edited by fireman4it: 29 December 2011 - 07:44 PM
" Extinguishing Malware from the world"
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
#68
- Member
-
- Group: Members
- Posts: 36
- Joined: 22-November 11
Posted 29 December 2011 - 07:41 PM
Thanks for the attempt to fix, I learned some good stuff about how the computer works. I will reformat the hard drive. I assume this will erase the hidden partition as well? Can I pull some of the files I have stored on the desktop off to a usb without transferring the infection? If not, nothing there I can't live without.
I've been keeping the infected computer unplugged from the network, but it was hooked up before I knew the severity of the problem. Can the virus move through the network to other machines? Any easy way to tell if a computer is infected?
Out of curiosity, without starting a long conversation, what's the object of the virus? It must be making someone money somehow.
I've been keeping the infected computer unplugged from the network, but it was hooked up before I knew the severity of the problem. Can the virus move through the network to other machines? Any easy way to tell if a computer is infected?
Out of curiosity, without starting a long conversation, what's the object of the virus? It must be making someone money somehow.
#69
- Bleepin' Fireman
-
- Group: Malware Response Team
- Posts: 8,316
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted 29 December 2011 - 08:08 PM
Hello,
Personally I think this is the right decision. I will reformat the hard drive along with change the partitions.
Regarding backup...
When backing up files and datas there are mainly 2 general guidelines:
1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
When backing up those file types, then reducing the chance of getting your other computer infected is low however, the best option to back up those files is via a CD and a CdBurner software instead of a external hard-drive as certain infections such as the well known autorun worms can jump on those removable drives when inserted. However, in most cases backing those files should be okay and the risk of getting the other computer infected is also low.
If they are redirecting or having issues like the infected machine then yes. If not then they most likely are not infected. With this infection you would know if your infected or not.
IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.
You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.
Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Backdoors and What They Mean to You
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.[quote]The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
Quote
Thanks for the attempt to fix, I learned some good stuff about how the computer works. I will reformat the hard drive. I assume this will erase the hidden partition as well? Can I pull some of the files I have stored on the desktop off to a usb without transferring the infection? If not, nothing there I can't live without.
Personally I think this is the right decision. I will reformat the hard drive along with change the partitions.
Regarding backup...
When backing up files and datas there are mainly 2 general guidelines:
1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
When backing up those file types, then reducing the chance of getting your other computer infected is low however, the best option to back up those files is via a CD and a CdBurner software instead of a external hard-drive as certain infections such as the well known autorun worms can jump on those removable drives when inserted. However, in most cases backing those files should be okay and the risk of getting the other computer infected is also low.
Quote
I've been keeping the infected computer unplugged from the network, but it was hooked up before I knew the severity of the problem. Can the virus move through the network to other machines? Any easy way to tell if a computer is infected?
If they are redirecting or having issues like the infected machine then yes. If not then they most likely are not infected. With this infection you would know if your infected or not.
Quote
Out of curiosity, without starting a long conversation, what's the object of the virus? It must be making someone money somehow.
IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.
You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.
Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
- When should I re-format? How should I reinstall?
- Where to draw the line? When to recommend a format and reinstall?
Quote
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.[quote]The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
" Extinguishing Malware from the world"
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
#70
- Member
-
- Group: Members
- Posts: 36
- Joined: 22-November 11
Posted 29 December 2011 - 08:19 PM
Seems like the redirect is a mistake by the virus makers. Without that you would almost never know there was an infection.
Again, thanks for taking the time to help. I will have the company make a donation.
Again, thanks for taking the time to help. I will have the company make a donation.
#71
- Bleepin' Fireman
-
- Group: Malware Response Team
- Posts: 8,316
- Joined: 24-May 08
- Gender:Male
- Location:Bement, ILL
Posted 29 December 2011 - 09:18 PM
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
" Extinguishing Malware from the world"
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-
If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click
