Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help - unknown malware - browser redirect


  • This topic is locked This topic is locked
33 replies to this topic

#1 ksky10081

ksky10081

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 14 August 2009 - 06:41 PM

Thank you in advance for all of your help and time in this matter.

The initial problem started when I received a notification from McAfee that a trojan was blocked and then shortly after that I received a BSoD error stating:

An attempt to write to read only memory

This error occurs when I leave the normal user select screen up within 4 minutes. Safe mode works for the most part.

I have tried to locate and correct this problem with:

Malwarebytes Anti-Malware
Spybot - Search & Destroy
Windows Defender
HijackThis

Failed to install:

Ad-AwareAE.exe
counterspy.exe

I also tried online scanners (TrendMicro, Kaspersky, Panda, and Bitdefender [all of the definitions failed to update]) along with my installed McAfee.

None have worked so far!


==== DDS.TXT ==== ==== ==== ==== ==== ==== ====


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by John at 16:28:40.54 on Fri 08/14/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.169 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2061119
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: COMCASTTOOLBAR: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Browser Address Error Redirector: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: COMCASTTOOLBAR: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249679040359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-12 130936]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-12 28544]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-14 201320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-4-14 359248]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-4-14 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-14 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-14 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-14 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-14 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-14 40488]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-12 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-12 1097096]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-17 31592]
S4 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-10-30 28672]

=============== Created Last 30 ================

2009-08-14 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-08-12 16:47 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-12 16:47 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-12 16:47 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-12 16:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-12 16:47 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-12 16:47 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-12 16:47 <DIR> --d----- c:\docume~1\john\applic~1\PC Tools
2009-08-12 16:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-12 16:40 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-08-12 16:40 <DIR> --d----- c:\program files\Panda Security
2009-08-12 16:32 <DIR> --d----- c:\windows\LastGood.Tmp
2009-08-12 16:30 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-11 20:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-11 20:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-11 15:39 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-08-11 15:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 15:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 15:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 15:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 18:02 <DIR> --d----- c:\program files\CCleaner
2009-08-10 13:06 <DIR> --d----- C:\35674927e03a0c0ef16c1207d3db
2009-08-10 12:57 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-10 12:41 <DIR> --d----- C:\4d9a2e909611ced721a44f9af8b8
2009-08-10 12:41 <DIR> --d-hr-- C:\AHCache
2009-08-10 12:39 <DIR> --d----- C:\6a850817f9620bed60dae8
2009-08-10 12:07 <DIR> --d----- c:\docume~1\john\applic~1\Uniblue
2009-08-08 11:39 <DIR> --d----- C:\481def3e6a792cfef6
2009-08-08 11:36 <DIR> --d----- C:\c65fbe81dae6fc2aeaacf997eca2fd
2009-08-08 10:10 <DIR> --d----- C:\3b2fab02a3892adca434ceff
2009-08-08 10:02 <DIR> --d----- C:\dc4f6abfa43aa758834f2cbbcc
2009-08-08 09:58 <DIR> --d----- C:\1c95ccf312f7bc6e56043c89dc
2009-08-07 14:46 <DIR> --d----- C:\ed296b52c1e31cfa5b2f191a816e
2009-08-07 13:52 <DIR> --d----- c:\program files\Trend Micro
2009-08-07 12:57 <DIR> --d----- C:\47b2a0e3a548a7c2cace73e3224b8459
2009-08-06 17:30 <DIR> --d----- c:\documents and settings\john\.housecall6.6

==================== Find3M ====================

2009-07-18 10:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 10:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 10:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 10:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 10:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 10:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 10:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2006-12-07 10:52 88 -c-shr-- c:\windows\system32\BF16B3C56B.sys
2006-12-07 10:53 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:30:14.71 ===============


==== DDS.TXT ==== ==== ==== ==== ==== ==== ====


Thank you again!

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:33 AM

Posted 27 August 2009 - 02:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 27 August 2009 - 04:42 PM

Thank you All very much!


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by John at 15:26:12.98 on Thu 08/27/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.196 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2061119
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: COMCASTTOOLBAR: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Browser Address Error Redirector: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: COMCASTTOOLBAR: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249679040359
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-12 130936]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-8-12 28544]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-14 201320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-4-14 359248]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-4-14 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-14 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-14 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-14 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-14 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-14 40488]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-12 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-12 1097096]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-17 31592]
S4 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2008-10-30 28672]

=============== Created Last 30 ================

2009-08-20 10:23 <DIR> --d----- c:\program files\ESET
2009-08-18 14:34 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-15 20:32 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-15 14:36 4,195,824 a------- c:\windows\pfirewall.log.old
2009-08-14 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-08-12 16:47 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-12 16:47 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-12 16:47 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-12 16:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-12 16:47 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-12 16:47 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-12 16:47 <DIR> --d----- c:\docume~1\john\applic~1\PC Tools
2009-08-12 16:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-12 16:40 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-08-12 16:40 <DIR> --d----- c:\program files\Panda Security
2009-08-12 16:30 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-11 20:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-11 20:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-11 15:39 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-08-11 15:39 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 15:39 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 15:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 15:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 18:02 <DIR> --d----- c:\program files\CCleaner
2009-08-10 13:06 <DIR> --d----- C:\35674927e03a0c0ef16c1207d3db
2009-08-10 12:57 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-10 12:41 <DIR> --d----- C:\4d9a2e909611ced721a44f9af8b8
2009-08-10 12:41 <DIR> --d-hr-- C:\AHCache
2009-08-10 12:39 <DIR> --d----- C:\6a850817f9620bed60dae8
2009-08-10 12:07 <DIR> --d----- c:\docume~1\john\applic~1\Uniblue
2009-08-08 11:39 <DIR> --d----- C:\481def3e6a792cfef6
2009-08-08 11:36 <DIR> --d----- C:\c65fbe81dae6fc2aeaacf997eca2fd
2009-08-08 10:10 <DIR> --d----- C:\3b2fab02a3892adca434ceff
2009-08-08 10:02 <DIR> --d----- C:\dc4f6abfa43aa758834f2cbbcc
2009-08-08 09:58 <DIR> --d----- C:\1c95ccf312f7bc6e56043c89dc
2009-08-07 14:46 <DIR> --d----- C:\ed296b52c1e31cfa5b2f191a816e
2009-08-07 13:52 <DIR> --d----- c:\program files\Trend Micro
2009-08-07 12:57 <DIR> --d----- C:\47b2a0e3a548a7c2cace73e3224b8459
2009-08-06 17:30 <DIR> --d----- c:\documents and settings\john\.housecall6.6

==================== Find3M ====================

2009-07-18 10:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 10:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 10:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 10:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 10:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 10:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 10:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2006-12-07 10:52 88 -c-shr-- c:\windows\system32\BF16B3C56B.sys
2006-12-07 10:53 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:28:03.96 ===============

Attached Files



#4 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 27 August 2009 - 05:22 PM

I had a little time to jot down thoughts as they came to me:

As I read some of the problems that the other users were having, I was reminded of some of the initial symptoms that occurred with this machine. I have been tempted to post this but have left it off since another post is not recommended.

I don't know if this is related, but earlier that day I finally decided to click update for the flash player that had been popping up for a few months. The update screen then failed to update flash (I tried a few times to make it work) so I ended up closing the update program. After the infection, I uninstalled flash and have yet to reinstall the program. That was 08.06.09.

Later that day I ran into the infection that downloaded a fake anti malware/virus? program on my computer and changed my wallpaper to indicate that an infection had occurred. From there I took steps to find the process responsible and remove it.
I stopped these startup processes:

run.run
19249374

Here is the information found in the McAfee recent events log:

DATE: 08.06.09. "program run is blocked from access to the internet."
PROGRAM: Run
LOCATION: C:\Documents and Settings\John\Local Settings\Temp\SERR.TMP


DATE: 08.12.09. "program Setup/Uninstall is granted with full access to the internet."
PROGRAM: Setup/Uninstall
LOCATION: C:\Documents and Settings\John\Local Settings\Temp\is-FFP85.tmp\sdsetup.tmp

At first, I blocked web access but enabled access so Spyware Doctor could update.


I noticed *.tmp processes running in the task manager and under normal startup, they still generate.

Here are a few that I was able to record:
is-M9GH0
is-ISHL6.tmp
is-RA206.tmp


After stopping the initial and blatant intrusion, I soon realized that problems still existed.
Of the redirects, I recall being sent to yourblack.com and maybe mycustomsearch.com.


After some internet searching I came upon a user who was being helped by Miekiemoes and downloaded Malwarebytes' Anti-Malware - this had little success as the problem persists after the machine is started again.

I have been temped to use combofix but have heeded the warnings.

Before I use combofix, would there be a problem running the program in safe mode and would I have to watch the results and make sure this pc is restarted in safe mode should combofix restart this machine? What programs do I have to re-enable or script do I have to run to restore full functionality?


I am not familiar with the limitations of using safe mode, but I am unable to print, update windows, and windows defender to name a few that I recall.

BSOD messages:


An attempt to write to read-only memory.

0x000000BE (0x8061AB70.0x0061A161,0xF78D2CC8,0x0000000B)

This problem occurs when I wait on the normal sign in screen and whenever I sign in to normal mode - within 4 minutes - if that.


driver_irql_not_less_or_equal

0x000000D1 (0xE1F1C000,0x00000002,0x00000000,0xF3EF2AE8)

This problem occurs when I sign in to normal mode (about 2 minutes), sometimes in safe mode(rarely). I believe this started 2 days ago (08.13.09?) after installing anti malware apps.


The messages are generic and give advice to disable system caching and ghosting... making sure new hardware is installed properly....


I have only installed multiple anti malware apps and only have used addition online virus software to go along with McAfee.

I also ran chkdsk /r /f in safe mode but it is skipped when I start in to safe mode and is quickly flashed on the screen in normal mode.

I am unable to access windows update / manually install updates in safe mode.

I am unable to lockdown the firewall in McAfee.

I ran through all of the included Dell programs to look for problems and all passed.
Do I have to worry about the factory partition being infected?


Thank you again!


#5 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 27 August 2009 - 05:33 PM

I hope I am jumping the gun with the combofix, I just want to be prepared. :thumbup2:

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 AM

Posted 05 September 2009 - 07:44 PM

Hi ksky10081,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions. Apologies for the longer than usual wait.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 AM

Posted 05 September 2009 - 07:49 PM

Please do not run Combofix without my assistance.

There is certainly signs of malware in some of the information you are telling me about but the DDS log is clean.


Let's see what else we can find out by running the following tools.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Then please run your copy of MBAM on Full Scan mode

MBAM is often stopped by malware. Please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr

If you have problems running these tools (and you may have) then please post that information.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 05 September 2009 - 10:50 PM

m0le,

Thank you very much for you assistance, and everyone else as well!

I am starting now - I will run mbam as directed - although it has not hung up on me. - - it did look like it took a little bit longer to start (26 seconds to log registry keys). [/b]



***************************************RootRepeal.txt

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 21:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6D7A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6358000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\WINDOWS\system32\ytasfwbbowbuuq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfwdltavbuh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfwexlpnkgi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfwpwwajblt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwabdmdtqnrn.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwjtrpqriutl.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwmriloqkxni.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwpfjgexnyip.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwtobgqditye.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ytasfwxnseqrvjjw.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcafee_zz7xhgbhljuddyk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_pkra0s6wravh0pb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\ytasfwmpxfaimx.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: services.exe (PID: 636) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: lsass.exe (PID: 648) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwdltavbuh.dll]
Process: svchost.exe (PID: 808) Address: 0x00680000 Size: 53248

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: svchost.exe (PID: 808) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: MsMpEng.exe (PID: 1016) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: svchost.exe (PID: 1084) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: svchost.exe (PID: 1120) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: svchost.exe (PID: 1208) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: mcmscsvc.exe (PID: 1360) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: MPFSrv.exe (PID: 1412) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: Explorer.EXE (PID: 1744) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: mcagent.exe (PID: 1892) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: iexplore.exe (PID: 344) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: ctfmon.exe (PID: 452) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: mcuimgr.exe (PID: 980) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwpwwajblt.dll]
Process: RootRepeal.exe (PID: 1648) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: ytasfwmurujdqv
Image Path: C:\WINDOWS\system32\drivers\ytasfwmpxfaimx.sys

==EOF==

***************************************RootRepeal.txt




***************************************mbam-log-2009-09-05 (23-10-52).txt

Malwarebytes' Anti-Malware 1.40
Database version: 2747
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/5/2009 11:10:52 PM
mbam-log-2009-09-05 (23-10-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 236731
Time elapsed: 50 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***************************************mbam-log-2009-09-05 (23-10-52).txt

Edited by ksky10081, 06 September 2009 - 12:17 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 AM

Posted 06 September 2009 - 05:24 AM

Well, it's a rootkit but MBAM doesn't know it.

Please run Combofix as below.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 06 September 2009 - 02:40 PM

m0le,

Ran combo fix and it did some cleaning.

ran combofix ==> installed ms recovery console ==> physically recorded files as instructed before reboot ==> rebooted to safe mode w/networking ==>
allowed Program PEV.cfxxe / Location C:\Combo==>Fix\PEV.cfxxe access to the internet ==> waited for combofix to finish ==> it did ==> left with generic safe mode screen ==> opened task manager to do a restart ==> the end program screen opened ==> the program had a really long random name filling the title bar of the messagebox ==> waited ==> eventually used end now ==> 2nd restart ==> unable to access any safe mode option – stopped on the drivers screen ==> started up in normal mode ==> chkdsk was waiting and took forever to finish but was clean

normal mode ==> it took forever to start in normal mode ==> I ended up canceling spybot s&d (it scanned 67 processes) to get the taskbar and desktop up ==> and then stopped a mcafee scan but re-enabled the safety protocols disabled for combofix ==> I did see one *.tmp file in the task manager and cancelled that right away ==> before combofix, that meant BSoD was next and the *.tmp files did not come alone. teatimer left to run.

I did notice some updates running and that contributed to the slow startup a little along with a security patch from ms.


*******************************ComboFix.txt

ComboFix 09-09-06.02 - John 09/06/2009 11:25.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.277 [GMT -6:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\27578.msi
c:\windows\Installer\2b3c7.msi
c:\windows\Installer\2c48e.msi
c:\windows\Installer\2c491.msi
c:\windows\Installer\2c5f26.msp
c:\windows\Installer\2c5f27.msp
c:\windows\Installer\2c5f28.msp
c:\windows\Installer\2c5f29.msp
c:\windows\Installer\2c5f2a.msp
c:\windows\Installer\2c5f2b.msp
c:\windows\Installer\2c5f2c.msp
c:\windows\Installer\2c5f2d.msp
c:\windows\Installer\2c5f2e.msp
c:\windows\Installer\2cdb6.msi
c:\windows\Installer\2ecc7.msi
c:\windows\Installer\2ecca.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\drivers\ytasfwmpxfaimx.sys
c:\windows\system32\ytasfwbbowbuuq.dat
c:\windows\system32\ytasfwdltavbuh.dll
c:\windows\system32\ytasfwexlpnkgi.dat
c:\windows\system32\ytasfwpwwajblt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ytasfwmurujdqv
-------\Legacy_ytasfwmurujdqv


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-01 22:07 . 2009-09-01 22:07 61440 ----a-w- c:\windows\system32\drivers\zifbsxfg.sys
2009-08-20 16:23 . 2009-08-20 16:23 -------- d-----w- c:\program files\ESET
2009-08-18 20:34 . 2009-08-18 20:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-14 20:20 . 2009-08-14 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-08-12 22:47 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-12 22:47 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-12 22:47 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-12 22:47 . 2009-08-13 19:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-12 22:47 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-12 22:47 . 2009-08-13 16:54 -------- d-----w- c:\program files\Spyware Doctor
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-12 22:40 . 2008-06-19 23:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-12 22:40 . 2009-08-12 22:40 -------- d-----w- c:\program files\Panda Security
2009-08-12 22:32 . 2009-08-13 19:15 -------- d-----w- c:\windows\BDOSCAN8
2009-08-12 22:30 . 2009-08-12 22:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 02:46 . 2009-08-12 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 02:46 . 2009-08-12 02:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 21:39 . 2009-08-11 21:39 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-08-11 21:39 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 21:39 . 2009-08-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-11 21:39 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 21:39 . 2009-09-06 04:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 00:02 . 2009-08-11 00:02 -------- d-----w- c:\program files\CCleaner
2009-08-10 19:06 . 2009-08-10 19:06 -------- d-----w- C:\35674927e03a0c0ef16c1207d3db
2009-08-10 18:57 . 2009-08-10 18:57 -------- dc----w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-10 18:41 . 2009-08-10 18:41 -------- d-----w- C:\4d9a2e909611ced721a44f9af8b8
2009-08-10 18:41 . 2009-08-10 18:41 -------- d--h--r- C:\AHCache
2009-08-10 18:39 . 2009-08-10 19:03 -------- d-----w- C:\6a850817f9620bed60dae8
2009-08-10 18:07 . 2009-08-10 18:07 -------- d-----w- c:\documents and settings\John\Application Data\Uniblue
2009-08-08 17:39 . 2009-08-08 17:39 -------- d-----w- C:\481def3e6a792cfef6
2009-08-08 17:36 . 2009-08-08 17:36 -------- d-----w- C:\c65fbe81dae6fc2aeaacf997eca2fd
2009-08-08 16:10 . 2009-08-08 16:10 -------- d-----w- C:\3b2fab02a3892adca434ceff
2009-08-08 16:02 . 2009-08-08 16:02 -------- d-----w- C:\dc4f6abfa43aa758834f2cbbcc
2009-08-08 15:58 . 2009-08-08 15:58 -------- d-----w- C:\1c95ccf312f7bc6e56043c89dc
2009-08-07 21:11 . 2009-08-07 21:11 -------- d-----w- c:\program files\Windows Defender
2009-08-07 20:46 . 2009-08-07 20:46 -------- d-----w- C:\ed296b52c1e31cfa5b2f191a816e
2009-08-07 19:52 . 2009-08-07 19:52 -------- d-----w- c:\program files\Trend Micro
2009-08-07 18:57 . 2009-08-07 18:57 -------- d-----w- C:\47b2a0e3a548a7c2cace73e3224b8459

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 22:07 . 2009-09-01 22:07 200 ----a-w- c:\program files\Izchpk.txt
2009-08-13 16:44 . 2007-04-11 19:56 -------- d-----w- c:\program files\ComcastToolbar
2009-08-10 18:49 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2009-08-07 04:44 . 2006-11-20 04:33 -------- d-----w- c:\program files\WildTangent
2009-08-07 04:41 . 2008-07-16 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-08-07 04:11 . 2009-04-21 16:34 71896 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 14:40 . 2006-11-20 04:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-30 22:58 . 2009-07-30 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-26 16:50 . 2005-08-16 10:18 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2006-12-07 16:52 . 2006-11-30 16:46 88 -csh--r- c:\windows\system32\BF16B3C56B.sys
2006-12-07 16:53 . 2006-11-30 16:46 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-24 86016]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AOL ACS"=2 (0x2)
"NVSvc"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"Fax"=2 (0x2)
"WZCSVC"=2 (0x2)
"KodakSvc"=2 (0x2)
"KodakCCS"=2 (0x2)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/12/2009 4:47 PM 130936]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/12/2009 4:40 PM 28544]
S2 vryldssg;vryldssg;c:\windows\system32\drivers\zifbsxfg.sys [9/1/2009 4:07 PM 61440]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/12/2009 4:47 PM 348752]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/17/2008 5:21 PM 31592]
S4 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-14 19:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-14 19:32]

2009-09-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 11:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-06 11:43
ComboFix-quarantined-files.txt 2009-09-06 17:43

Pre-Run: 1,880,465,408 bytes free
Post-Run: 1,949,065,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
228 --- E O F --- 2009-08-06 16:42


*******************************ComboFix.txt

Spoiler

Edited by ksky10081, 06 September 2009 - 03:24 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 AM

Posted 06 September 2009 - 03:40 PM

Thanks for the rundown ksky10081.

Combofix has done a great job but there's more to do there. Please try and run this in normal mode - Combofix works better there.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
vryldssg

File::
c:\windows\system32\drivers\zifbsxfg.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 06 September 2009 - 04:23 PM

m0le,

Ran combofix as instructed ==> allowed Program PEV.cfxxe / Location C:\Combo==>Fix\PEV.cfxxe access to the internet ==> waited for combofix to finish ==> no restart since last indicated ==> re-enabled McAfee safety protocols disabled for combofix ==> all of spybot s&d (teatimer) remains closed.


Spoiler



****************************ComboFix.txt

ComboFix 09-09-06.02 - John 09/06/2009 15:30.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.214 [GMT -6:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\system32\drivers\zifbsxfg.sys"
.

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-08-20 16:23 . 2009-08-20 16:23 -------- d-----w- c:\program files\ESET
2009-08-18 20:34 . 2009-08-18 20:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-14 20:20 . 2009-08-14 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-08-12 22:47 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-12 22:47 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-12 22:47 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-12 22:47 . 2009-08-13 19:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-12 22:47 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-12 22:47 . 2009-08-13 16:54 -------- d-----w- c:\program files\Spyware Doctor
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\documents and settings\John\Application Data\PC Tools
2009-08-12 22:47 . 2009-08-12 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-12 22:40 . 2008-06-19 23:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-12 22:40 . 2009-08-12 22:40 -------- d-----w- c:\program files\Panda Security
2009-08-12 22:32 . 2009-08-13 19:15 -------- d-----w- c:\windows\BDOSCAN8
2009-08-12 22:30 . 2009-08-12 22:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 02:46 . 2009-08-12 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 02:46 . 2009-08-12 02:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 21:39 . 2009-08-11 21:39 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2009-08-11 21:39 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 21:39 . 2009-08-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-11 21:39 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 21:39 . 2009-09-06 04:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 00:02 . 2009-08-11 00:02 -------- d-----w- c:\program files\CCleaner
2009-08-10 19:06 . 2009-08-10 19:06 -------- d-----w- C:\35674927e03a0c0ef16c1207d3db
2009-08-10 18:57 . 2009-08-10 18:57 -------- dc----w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-10 18:41 . 2009-08-10 18:41 -------- d-----w- C:\4d9a2e909611ced721a44f9af8b8
2009-08-10 18:41 . 2009-08-10 18:41 -------- d--h--r- C:\AHCache
2009-08-10 18:39 . 2009-08-10 19:03 -------- d-----w- C:\6a850817f9620bed60dae8
2009-08-10 18:07 . 2009-08-10 18:07 -------- d-----w- c:\documents and settings\John\Application Data\Uniblue
2009-08-08 17:39 . 2009-08-08 17:39 -------- d-----w- C:\481def3e6a792cfef6
2009-08-08 17:36 . 2009-08-08 17:36 -------- d-----w- C:\c65fbe81dae6fc2aeaacf997eca2fd
2009-08-08 16:10 . 2009-08-08 16:10 -------- d-----w- C:\3b2fab02a3892adca434ceff
2009-08-08 16:02 . 2009-08-08 16:02 -------- d-----w- C:\dc4f6abfa43aa758834f2cbbcc
2009-08-08 15:58 . 2009-08-08 15:58 -------- d-----w- C:\1c95ccf312f7bc6e56043c89dc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 16:44 . 2007-04-11 19:56 -------- d-----w- c:\program files\ComcastToolbar
2009-08-10 18:49 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2009-08-07 21:11 . 2009-08-07 21:11 -------- d-----w- c:\program files\Windows Defender
2009-08-07 19:52 . 2009-08-07 19:52 -------- d-----w- c:\program files\Trend Micro
2009-08-07 04:44 . 2006-11-20 04:33 -------- d-----w- c:\program files\WildTangent
2009-08-07 04:41 . 2008-07-16 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-08-07 04:11 . 2009-04-21 16:34 71896 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 14:40 . 2006-11-20 04:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-30 22:58 . 2009-07-30 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-26 16:50 . 2005-08-16 10:18 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2006-12-07 16:52 . 2006-11-30 16:46 88 -csh--r- c:\windows\system32\BF16B3C56B.sys
2006-12-07 16:53 . 2006-11-30 16:46 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_17.40.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-28 05:45 . 2009-09-06 19:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-28 05:45 . 2009-09-06 16:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-28 05:45 . 2009-09-06 19:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-28 05:45 . 2009-09-06 16:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-28 05:45 . 2009-09-06 19:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-28 05:45 . 2009-09-06 16:58 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-24 86016]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AOL ACS"=2 (0x2)
"NVSvc"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"Fax"=2 (0x2)
"WZCSVC"=2 (0x2)
"KodakSvc"=2 (0x2)
"KodakCCS"=2 (0x2)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/12/2009 4:40 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/12/2009 4:47 PM 130936]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/12/2009 4:47 PM 348752]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/17/2008 5:21 PM 31592]
S4 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 10:58 AM 28672]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-14 19:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-14 19:32]

2009-09-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 15:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-06 15:45
ComboFix-quarantined-files.txt 2009-09-06 21:45
ComboFix2.txt 2009-09-06 17:43

Pre-Run: 1,997,905,920 bytes free
Post-Run: 1,961,979,904 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
194 --- E O F --- 2009-08-06 16:42


****************************ComboFix.txt

Edited by ksky10081, 06 September 2009 - 05:06 PM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:33 AM

Posted 06 September 2009 - 05:18 PM

That's looking much better. :thumbup2:

We will run MBAM now (your copy is fine to use). Make sure you run it in normal mode and with a Full Scan set. Post the log.

Let me know what symptoms remain as well.
Posted Image
m0le is a proud member of UNITE

#14 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 06 September 2009 - 05:27 PM

running mbam now as mbam.bat - leaving mcafee protocols on

Mbam took a long time to run, nearly 2 1/2 times longer.

When two hours had almost elasped, Mbam closed my web browser and soon encountered six infected objects; McAfee followed with pop ups afterwards identifying then as trojans. McAfee has five objects in quarantine including Combofix as another trojan.

Used Mbam to remove all selected.

*****************************mbam

Malwarebytes' Anti-Malware 1.40
Database version: 2749
Windows 5.1.2600 Service Pack 3

9/6/2009 7:54:12 PM
mbam-log-2009-09-06 (19-54-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 230733
Time elapsed: 2 hour(s), 27 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwdltavbuh.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwpwwajblt.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ytasfwmpxfaimx.sys.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0000001.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0000002.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0000003.dll (Trojan.TDSS) -> No action taken.

*****************************mbam

Edited by ksky10081, 06 September 2009 - 09:31 PM.


#15 ksky10081

ksky10081
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Location:A little blue sphere.
  • Local time:04:33 AM

Posted 06 September 2009 - 10:05 PM

Mbam removed four of six objects before restarting. On logging in I received a messagebox indicating the path .../mbam.exe was not found.

Still in quarantine:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwpwwajblt.dll.vir (Trojan.TDSS)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0000003.dll (Trojan.TDSS)

I did see this in the Task Manager and ended the process - I am not sure if this is the same item I saw previously:
is-13TRC.tmp

I tried to find this with google and there were no exact hits but the redirects are gone.

I did see the desktop within three minutes and ms updates are now showing up.

I am restoring mbam.bat to mbam.exe and am going try to clear out the items that are quarantined.

There are no quarantined items remaining in Mbam and no restart was required.

McAfee still shows the five quarantined items(left alone). I will restore Combofix when it is no longer needed so I can uninstall it. What steps are needed to restore the functionality Combofix removed including running in safe mode when we finish?

C:\WINDOWS\system32\d3d9caps.dat is also on my system and I wondered if there was any insight you could provide/can I remove it?

Thank you!

J


Spoiler

Edited by ksky10081, 06 September 2009 - 11:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users