Infected with System Check

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Infected with System Check Causing untold problems. Disabled access to the web too.

#1 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 25 January 2012 - 07:36 AM

Hello.

I would be pleased to receive some assistance from the members of this forum.

I recently downloaded an update to a file I needed - I though from a legitimate source - and was quickly presented with the infamous 'System Check' window and was worried about the reports + several pop up style windows, advising that there was a terminal error with the hard disc. Thankfully, my suspicions were aroused and I didn't click through and download the suggested 'remedy'.

The problem though was already done and I researched possible solutions. I tried MBAM and it ran succesfully and identified several trojans etc, which I then dealt with via MBAM. Unfortunatly, it didn't permanently deal with them and I remain infected. Things have got worse though, as I'm now unable to run MBAM from the affected pc, nor can I run with it from a USB drive. To add more problems I have now found that although my cable connection is reported as being connected (in Network Connections), I am not able to access the web. (Network connectons also reports that the cable is unplugged - even though it isn't). So, I'm now posting this message from an alternative PC and transferring programmes and logs via the USB drive.

Some other issues I am having are;

Following your preparation advice, I downloaded all the programmes suggested but have found that

A/ I cannot backup the PC - it seems not to be able to be backed up. (Could this be due to the virus/
malware?

B/ Cannot setup Firewall - PC reports...... "WF cannot be displayed because the associated service is not running. Do you want to start the WF/ICS service? Y or No." Clicking Yes just further advises that "Windows cannot start the WF/ICS service."

C/ Have run 'Defogger' and I assume it ran succesfully.

D/ Have downloaded DDS Tool per the instructions. Unfortunately, I cannot run it. The icon that is presented on the desktop is for AutoCad which I find bizarre. On clicking the tool, Notepad opens, with a document which is just full of unfathomable text.

E/ Have downloaded and ran GMER and have attached a log. Noting that the tick boxes down the RH side of the window were not available to tick as per the screenshot on the preparation guide. [Modules, process. threads etc etc]

So. I hope that the above saga doesn't put you all off my request for help. It seems mighty complex to me but I'm hoping that it isn't for you.

Thanks for your help in advance.

Paul

PS: I hope that I have attached the log correctly. Should I have also included it in this window?

Attached File(s)

ark.txt (24.6K)
Number of downloads: 2

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 27 January 2012 - 01:16 AM

Hello and Welcome to the forums!

Use 2nd or 3rd link for DDS

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

information and logs:

In your next post I need the following

.logs from DDS
let me know of any problems you may have had

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 27 January 2012 - 03:42 AM

Hello Gringo.

Thanks for the warm welcome to the forums and also your willingness to assist me. I very much appreciate it.

I sucessfully downloaded dds using the 2nd link. (Sorry - that was dumb of me to not try that previously). I have ran it and below post the log that was produced. One further note. On completion, the pop up screen advised that two logs would be produced. One in notepad which I've attached below and a zip file. Only one log was produced in my case and the zip file log wasn't. I don't see any evidence of a zip file being produced, either on the desktop of the infected pc, nor, on the usb drive that I am using to transfer the programmes and logs backwards and forwards to this second pc I am using to communicate with you.

So, hoping that doesn't further complicate the matter and that I might hear from you soon.

DDS Txt log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Home at 8:28:19 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.601 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\WizMouse\WizMouse.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.co.uk/
uSearch Bar =
mWinlogon: Userinit=userinit.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100806110616.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\siteadvisor\mcieplg.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File
uRun: [WizMouse] "c:\program files\wizmouse\WizMouse.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [xf9poa4vaz] c:\documents and settings\home\xf9poa4vaz.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [xf9poa4vaz] c:\documents and settings\all users\xf9poa4vaz.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [Hnejfsjp] rundll32 "c:\windows\system32\winbrandu.dll",Thup
StartupFolder: c:\docume~1\home\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\home\application data\dropbox\bin\Dropbox.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: DisallowRun = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {13510606-30FA-11D2-B383-444553540000} - hxxps://tradezone.pws.co.uk/downloads/webclientV4/win32/omwebie.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BBD8DE77-89FB-4BD5-8B5F-7724F88F3B31} : DhcpNameServer = 192.168.0.1
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\siteadvisor\McIEPlg.dll
AppInit_DLLs: OGRegFlashLoader.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2009-2-5 17264]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-1 390528]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-6 88480]
S0 gqxx;gqxx;c:\windows\system32\drivers\vqjlrhk.sys --> c:\windows\system32\drivers\vqjlrhk.sys [?]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-11-17 385880]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-6 82952]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 0]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 0]
S1 SASDIFSV;SASDIFSV;c:\docume~1\home\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\docume~1\home\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-6 170144]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-6 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-6 55456]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-9 40776]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-11-17 152320]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-11-17 51688]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-6 312616]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-6 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-6 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-11-17 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-11-17 40552]
S4 ALGRemoteAccess;Application Layer Gateway Service ALGRemoteAccess;c:\windows\system32\accessz.exe srv --> c:\windows\system32\accessz.exe srv [?]
S4 aspnet_stateTuneUp.Defrag;ASP.NET State Service aspnet_stateTuneUp.Defrag;c:\windows\system32\acluiz.exe srv --> c:\windows\system32\acluiz.exe srv [?]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-25 210216]
S4 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-6 271480]
S4 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-6 271480]
S4 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-6 271480]
S4 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-6 188136]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-2-2 65856]
S4 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 0]
S4 SharedAccessFontCache3.0.0.0;Windows Firewall/Internet Connection Sharing (ICS) SharedAccessFontCache3.0.0.0;c:\windows\system32\adsldpcx.exe srv --> c:\windows\system32\adsldpcx.exe srv [?]
S4 WmiApSrvCOMSysApp;WMI Performance Adapter WmiApSrvCOMSysApp;c:\windows\system32\acluio.exe srv --> c:\windows\system32\acluio.exe srv [?]
.
=============== File Associations ===============
.
.scr=AutoCADLTScriptFile
.
=============== Created Last 30 ================
.
2012-01-26 12:08:02 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-25 10:19:40 -------- d-----w- c:\windows\XSxS
2012-01-25 10:19:40 -------- d-----w- c:\program files\Xenocode
2012-01-25 10:19:40 -------- d-----w- c:\documents and settings\home\local settings\application data\Xenocode
2012-01-24 15:57:39 -------- d-----w- C:\b7e1a371c2a2c81df298cb6c32f91a9b
2012-01-24 11:46:26 31232 ----a-w- c:\documents and settings\home\xf9poa4vaz.exe
2012-01-23 15:27:51 31232 ----a-w- c:\documents and settings\all users\xf9poa4vaz.exe
2012-01-23 11:27:35 556958 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-23 10:55:29 363370 ----a-w- c:\documents and settings\all users\application data\O2ogAy2iYqvsjL.exe
2012-01-23 10:51:50 450410 --sha-w- c:\documents and settings\all users\application data\RobIKtbrUE.exe
2012-01-23 10:48:28 -------- d-----w- c:\program files\3991B
2012-01-23 10:47:27 -------- d-----w- c:\program files\LP
2012-01-23 10:47:27 -------- d-----w- c:\documents and settings\home\application data\D4E39
2012-01-20 08:17:57 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-20 08:17:53 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-01-20 08:17:51 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-01-20 08:17:51 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-01-17 13:35:02 -------- d-----w- c:\program files\VideoLAN
2012-01-16 09:54:24 -------- d-----w- c:\program files\uTorrent
2012-01-09 15:05:35 -------- d-----w- c:\documents and settings\home\local settings\application data\DuplicateCleaner
2012-01-09 15:05:11 -------- d-----w- c:\program files\Duplicate Cleaner
2012-01-09 14:50:52 -------- d-----w- c:\documents and settings\home\local settings\application data\Ilivid Player
2012-01-09 14:50:02 -------- dc----w- c:\documents and settings\all users\application data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-09 14:49:46 -------- d-----w- c:\program files\iLivid
2012-01-09 14:48:59 -------- d-----w- c:\documents and settings\home\local settings\application data\PackageAware
2012-01-06 08:52:52 -------- d-----r- C:\Sandbox
2012-01-02 17:23:22 -------- d-----w- c:\documents and settings\all users\application data\RegCure
2012-01-02 17:20:05 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-01-02 17:19:11 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-01-02 17:16:48 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-01-02 17:14:43 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-02 17:14:41 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-02 17:11:11 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-02 17:10:34 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-01-02 11:35:43 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-01-02 11:35:43 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-02 01:06:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-01-02 01:05:56 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-01-02 01:05:41 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-01-02 01:05:40 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-02 01:03:52 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-01-02 01:01:32 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-01-02 00:39:02 -------- d-----w- c:\windows\system32\en
2012-01-02 00:39:02 -------- d-----w- c:\windows\system32\bits
2012-01-01 23:31:56 -------- d-----w- c:\documents and settings\all users\application data\IObit
2012-01-01 21:31:53 20992 ------w- c:\windows\system32\spupdwxp.exe
2012-01-01 21:30:58 83968 ------w- c:\program files\messenger\msgsc.dll
2012-01-01 21:29:56 81920 ------w- c:\windows\system32\ieencode.dll
2012-01-01 20:53:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-01-01 20:52:15 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-29 15:48:34 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-28 21:12:38 -------- d-----w- C:\$AVG8.VAULT$
.
==================== Find3M ====================
.
2012-01-25 10:06:18 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-23 13:59:04 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv(2).dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 09:14:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2010-09-09 13:13:12 74796 ----a-w- c:\program files\Uninstal.exe
2006-03-08 19:05:37 4882944 ----a-w- c:\program files\Invoice.exe
2005-11-27 16:43:10 1734656 ----a-w- c:\program files\Upgrade.exe
.
============= FINISH: 8:29:24.17 ===============

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 27 January 2012 - 07:33 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#5 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 27 January 2012 - 09:52 AM

Hi Gringo.

Thanks for the further instructions. As I cannot connect to the internet, I downloaded the combofix on an alternative machine and transferred by usb drive. I disabled Mcafee (it said it was 'off') but forgot I had also installed MS Securty Essentials. Ran combofix and it alerted me to the fact that both Mcafee and MSE were still running which surprised me as I had definitely turned Mcafee off. I couldn't switch off MSE and assume that the virus was affecting this. Anyway, combofix opened a further C:\ window and alerted me that combofix needed to be updated and I would need to have an active internet connection. I don't have that so was just about to post a reply to you when it continued to run ( with a warning that it was at my risk - which was slightly worrying) and soon after advised that I had a particularly difficult to remove 'zero rootkit'? (I think that was what it said as soon after, a further window opened and it advised me that the computer needed to be rebooted and that I should let combofix do this for me. Before I knew it, it had started to shut down and has just restarted and eventually produced the below log.

As for pc now, it seems better. The start menu is more populated than it was and the whole pc is not su sluggish. I have checked network conections and it advises that it is connected, but on trying IE, it cannot connect. Seems there may still be an issue in that department? Perhaps the below log will tell all to your trained eyes.

Thanks again.

ComboFix 12-01-23.02 - Home 27/01/2012 14:07:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.753 [GMT 0:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~O2ogAy2iYqvsjL
c:\documents and settings\All Users\Application Data\~O2ogAy2iYqvsjLr
c:\documents and settings\All Users\Application Data\O2ogAy2iYqvsjL
c:\documents and settings\All Users\Application Data\O2ogAy2iYqvsjL.exe
c:\documents and settings\All Users\Application Data\RobIKtbrUE.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\xf9poa4vaz.exe
c:\documents and settings\Home\Application Data\D4E39
c:\documents and settings\Home\Application Data\D4E39\5CB93.exe
c:\documents and settings\Home\Application Data\D4E39\991B.4E3
c:\documents and settings\Home\Application Data\desktop.ini
c:\documents and settings\Home\Application Data\xssend2
c:\documents and settings\Home\Local Settings\Application Data\{1CAB38A7-9BC6-41BD-A002-86564E94130F}
c:\documents and settings\Home\Local Settings\Application Data\{1CAB38A7-9BC6-41BD-A002-86564E94130F}\chrome.manifest
c:\documents and settings\Home\Local Settings\Application Data\{1CAB38A7-9BC6-41BD-A002-86564E94130F}\chrome\content\overlay.xul
c:\documents and settings\Home\Local Settings\Application Data\{1CAB38A7-9BC6-41BD-A002-86564E94130F}\install.rdf
c:\documents and settings\Home\Start Menu\Programs\System Check
c:\documents and settings\Home\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Home\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Home\WINDOWS
c:\documents and settings\Home\xf9poa4vaz.exe
c:\program files\LP
c:\program files\LP\93BD\1.tmp
c:\program files\LP\93BD\17DF.tmp
c:\program files\LP\93BD\17E0.tmp
c:\program files\LP\93BD\2.tmp
c:\program files\LP\93BD\255.tmp
c:\program files\LP\93BD\256.tmp
c:\program files\LP\93BD\259.tmp
c:\program files\LP\93BD\25A.tmp
c:\program files\LP\93BD\3.tmp
c:\program files\LP\93BD\5.tmp
c:\program files\LP\93BD\65B.exe
c:\windows\$NtUninstallKB38322$
c:\windows\$NtUninstallKB38322$\2393381658\@
c:\windows\$NtUninstallKB38322$\2393381658\bckfg.tmp
c:\windows\$NtUninstallKB38322$\2393381658\cfg.ini
c:\windows\$NtUninstallKB38322$\2393381658\Desktop.ini
c:\windows\$NtUninstallKB38322$\2393381658\keywords
c:\windows\$NtUninstallKB38322$\2393381658\kwrd.dll
c:\windows\$NtUninstallKB38322$\2393381658\L\xgniolat
c:\windows\$NtUninstallKB38322$\2393381658\U\00000001.@
c:\windows\$NtUninstallKB38322$\2393381658\U\00000002.@
c:\windows\$NtUninstallKB38322$\2393381658\U\00000004.@
c:\windows\$NtUninstallKB38322$\2393381658\U\80000000.@
c:\windows\$NtUninstallKB38322$\2393381658\U\80000004.@
c:\windows\$NtUninstallKB38322$\2393381658\U\80000032.@
c:\windows\$NtUninstallKB38322$\266745636
c:\windows\Downloaded Program Files\formcache
c:\windows\Downloaded Program Files\formcache\1.fca
c:\windows\Downloaded Program Files\formcache\2.fca
c:\windows\Downloaded Program Files\formcache\index.fci
c:\windows\system32\370181562.dat
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\drivers\557e35f5afdf0c59.sys
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ALGREMOTEACCESS
-------\Legacy_ASPNET_STATETUNEUP.DEFRAG
-------\Legacy_SHAREDACCESSFONTCACHE3.0.0.0
-------\Legacy_WMIAPSRVCOMSYSAPP
-------\Service_6to4
-------\Service_ALGRemoteAccess
-------\Service_aspnet_stateTuneUp.Defrag
-------\Service_SharedAccessFontCache3.0.0.0
-------\Service_WmiApSrvCOMSysApp
-------\Legacy_557e35f5afdf0c59
-------\Service_557e35f5afdf0c59
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-26 12:08 . 2012-01-26 12:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-25 10:19 . 2012-01-25 10:19 -------- d-----w- c:\program files\Xenocode
2012-01-25 10:19 . 2012-01-25 10:19 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Xenocode
2012-01-24 15:57 . 2012-01-24 15:57 -------- d-----w- C:\b7e1a371c2a2c81df298cb6c32f91a9b
2012-01-23 11:27 . 2012-01-23 11:27 556958 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-23 10:48 . 2012-01-24 15:57 -------- d-----w- c:\program files\3991B
2012-01-20 08:17 . 2001-08-17 22:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-20 08:17 . 2008-04-14 05:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-01-20 08:17 . 2008-04-14 00:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-01-20 08:17 . 2008-04-14 00:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-01-17 13:49 . 2012-01-17 14:11 -------- d-----w- c:\documents and settings\Home\Application Data\vlc
2012-01-17 13:35 . 2012-01-17 13:35 -------- d-----w- c:\program files\VideoLAN
2012-01-16 09:54 . 2012-01-16 09:54 -------- d-----w- c:\program files\uTorrent
2012-01-09 15:05 . 2012-01-09 15:23 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\DuplicateCleaner
2012-01-09 15:05 . 2012-01-09 15:05 -------- d-----w- c:\program files\Duplicate Cleaner
2012-01-09 14:50 . 2012-01-09 14:50 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Ilivid Player
2012-01-09 14:50 . 2012-01-09 14:50 -------- dc----w- c:\documents and settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-09 14:49 . 2012-01-09 14:50 -------- d-----w- c:\program files\iLivid
2012-01-09 14:48 . 2012-01-09 14:48 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\PackageAware
2012-01-06 08:52 . 2012-01-06 08:52 -------- d-----r- C:\Sandbox
2012-01-02 17:23 . 2012-01-02 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2012-01-02 17:20 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-01-02 17:19 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-01-02 17:16 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-01-02 17:14 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-02 17:14 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-02 17:11 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-02 17:10 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-01-02 11:35 . 2008-04-14 00:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-01-02 11:35 . 2008-04-14 00:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-02 01:06 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-01-02 01:05 . 2011-02-17 13:18 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-01-02 01:05 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-01-02 01:05 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-02 01:03 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-01-02 01:01 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-01-02 00:39 . 2012-01-02 00:39 -------- d-----w- c:\windows\system32\en
2012-01-02 00:39 . 2012-01-02 00:39 -------- d-----w- c:\windows\system32\bits
2012-01-02 00:12 . 2012-01-02 00:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-01-01 23:31 . 2012-01-01 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-01-01 21:31 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2012-01-01 21:30 . 2008-05-02 14:01 83968 ------w- c:\program files\Messenger\msgsc.dll
2012-01-01 21:29 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2012-01-01 20:53 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-01-01 20:52 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-28 21:12 . 2011-12-28 22:19 -------- d-----w- C:\$AVG8.VAULT$
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 10:06 . 2010-11-09 16:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-23 13:59 . 2006-06-07 14:29 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv(2).dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 09:14 . 2011-11-16 09:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2010-09-09 13:13 . 2010-09-09 13:13 74796 ----a-w- c:\program files\Uninstal.exe
2006-03-08 19:05 . 2006-01-24 21:27 4882944 ----a-w- c:\program files\Invoice.exe
2005-11-27 16:43 . 2006-01-24 21:27 1734656 ----a-w- c:\program files\Upgrade.exe
2006-10-16 03:24 . 2006-11-06 09:08 135680 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . CD057E33BCFE1899F892AD8AA46793B8 . 75264 . . [9 Alpha217 RC34187 10.2298] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . CD057E33BCFE1899F892AD8AA46793B8 . 75264 . . [9 Alpha217 RC34187 10.2298] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 14:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WizMouse"="c:\program files\WizMouse\WizMouse.exe" [2010-03-12 696568]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2011-06-15 1200128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Home\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Home\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Home^Start Menu^Programs^Startup^ntuser_mssec.exe]
path=c:\documents and settings\Home\Start Menu\Programs\Startup\ntuser_mssec.exe
backup=c:\windows\pss\ntuser_mssec.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-02-16 17:57 1945960 ------w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
2007-02-22 18:53 2209224 ----a-w- c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rap]
2011-01-05 14:57 173568 ----a-w- c:\program files\ert\3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 11:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-02-16 17:45 1169776 ------w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"NTService1"=2 (0x2)
"MaxBackServiceInt"=2 (0x2)
"InCDsrv"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"WmiApSrvCOMSysApp"=2 (0x2)
"WinDefend"=2 (0x2)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"SharedAccessFontCache3.0.0.0"=2 (0x2)
"RapportMgmtService"=2 (0x2)
"nlsX86cc"=2 (0x2)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"MDM"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"cbVSCService"=2 (0x2)
"bepldr"=3 (0x3)
"awhost32"=3 (0x3)
"aspnet_stateTuneUp.Defrag"=2 (0x2)
"ALGRemoteAccess"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"flockbox"=c:\program files\My Lockbox\flockbox.exe /a
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Documents and Settings\\Home\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Home\\Desktop\\New Folder\\utorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8000:UDP"= 8000:UDP:Axon RTP Incoming Audio (UDP)
"81:TCP"= 81:TCP:Axon Web Server
.
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [05/02/2009 13:26 17264]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [06/08/2010 10:05 82952]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [01/03/2010 09:18 390528]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [06/08/2010 10:05 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [06/08/2010 10:05 88480]
S0 gqxx;gqxx;c:\windows\system32\drivers\vqjlrhk.sys --> c:\windows\system32\drivers\vqjlrhk.sys [?]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [07/06/2010 17:07 0]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/06/2010 17:07 0]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Home\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Home\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Home\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Home\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [06/08/2010 10:05 55456]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [09/11/2010 16:03 40776]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [06/08/2010 10:05 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [06/08/2010 10:05 83496]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [30/12/2008 10:40 47360]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPSEC
*NewlyCreated* - MPFILTER
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 15:28]
.
2012-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
.
2012-01-26 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-12-18 14:31]
.
2012-01-26 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-12-18 14:31]
.
2012-01-27 c:\windows\Tasks\User_Feed_Synchronization-{03D4C59F-A6FE-40E7-9E53-5E441EF7C63F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {13510606-30FA-11D2-B383-444553540000} - hxxps://tradezone.pws.co.uk/downloads/webclientV4/win32/omwebie.cab
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-xf9poa4vaz - c:\documents and settings\Home\xf9poa4vaz.exe
HKLM-Run-xf9poa4vaz - c:\documents and settings\All Users\xf9poa4vaz.exe
SafeBoot-WinDefend
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Jkewa - c:\windows\akozapow.dll
MSConfigStartUp-nonep - c:\docume~1\Home\LOCALS~1\Temp\tmp2aa42431\kkil.exe
MSConfigStartUp-Qburomukimupewu - c:\windows\cemsgole.dll
MSConfigStartUp-U36VRSFLG6 - c:\docume~1\Home\LOCALS~1\Temp\Xqd.exe
MSConfigStartUp-{083029C8-CE7A-82F4-F55C-F76A25C28629} - c:\documents and settings\Home\Application Data\Agnayf\coon.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - g:\malwarebytes' anti-malware\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 14:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-725345543-1229272821-2147133589-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-725345543-1229272821-2147133589-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B6AF4D0-6D2E-DCC1-3B68-3444D9A87159}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\System32\\msimtf.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(7424)
c:\windows\system32\WININET.dll
c:\documents and settings\Home\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2012-01-27 14:43:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-27 14:43
.
Pre-Run: 127,285,747,712 bytes free
Post-Run: 128,010,223,616 bytes free
.
- - End Of File - - 2EB179F84C84A2D3D7EF1681D9418EAB

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 27 January 2012 - 09:58 AM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure all the boxes are checked
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Gringo

<-- Don't worry every little bit helps.

#7 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 27 January 2012 - 10:19 AM

Here we are Gringo.
By the way, there is still a shortcut on my desktop for 'System Check'. Is this OK?

Thanks.

Farbar Service Scanner Version: 18-01-2012 01
Ran by Home (administrator) on 27-01-2012 at 15:09:23
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 12:00] - [2008-04-13 19:19] - 0075264 ____A (CxExerSoft) CD057E33BCFE1899F892AD8AA46793B8

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) mfetdi2k(9) NetBT(6) PSched(7) Tcpip(4)
0x0A0000000500000001000000020000000300000004000000090000000800000006000000070000000A000000
IpSec Tag value is correct.

**** End of log ****

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 27 January 2012 - 01:29 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
ipsec.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

<-- Don't worry every little bit helps.

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 29 January 2012 - 11:47 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#10 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 30 January 2012 - 03:26 AM

Hello Gringo.

Here's the systemlook log.

Thanks again.

SystemLook 30.07.11 by jpshortstuff
Log created at 08:22 on 30/01/2012 by Home
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\I386\system32\drivers\ipsec.sys -ra--c- 96768 bytes [19:00 16/12/2010] [14:40 28/01/2005] E4FFF43275A65B5989AF798A6AD71CA9
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [00:25 02/01/2012] [12:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [21:30 01/01/2012] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [12:00 04/08/2004] [19:19 13/04/2008] CD057E33BCFE1899F892AD8AA46793B8

-= EOF =-

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 30 January 2012 - 03:30 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#12 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 30 January 2012 - 05:09 AM

Gringo.

New window has opened advising that

'Combofix has detected the following real time scaner(s) to be active;

antivirus: MSE
antivirus: McAfee Anti-virus and Anti-Spyware

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable resultys or possible machine damage.

Please disable these scanners before clicking 'OK'.

So, when I enter McAfee settings. 'Real time' scanning is clearly marked as 'Off'.
Opening MSE, the 'Settings' tab is greyed out and I'm not sure how to switch off.

Should I just proceed with allowing 'Combofix' to run, or, are there other methods to enable to switch off these two AV programs?

Thanks.

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 30 January 2012 - 06:28 AM

go ahead and proceed

<-- Don't worry every little bit helps.

#14 tempsc

Member

Group: Members
Posts: 22
Joined: 03-August 10

Posted 30 January 2012 - 07:09 AM

Good morning.
Now running.

Alerted me that MS recovery console is not on PC and it needed an internet connection to be able to check and download - which of course I don't have at the moment.

I will post log once completed.