Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Generic Rootkit.d!rootkit


  • This topic is locked This topic is locked
19 replies to this topic

#1 Steve_SW

Steve_SW

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 31 August 2009 - 03:21 AM

Currently running XP media addition with service pack 3. Using McAfee security centre. McAfee identifies Trojan Generic Rootkit.d!Rootkit Filename NTOSKRNL-HOOK claims to have removed but if rescan same Trojan found. Effect at moment is that when using google to search for information when click on suggested website it redirects elsewhere.

See DDS log below and files attached:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Steve at 8:36:45.14 on 31/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.417 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PuXpMan.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mWinlogon: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {3EC8255F-E043-4cae-8B3B-B191550C2A22} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\steve\locals~1\temp\CLCLEA~3.SH!
uRunOnce: [Shockwave Updater] "c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE" -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)" -"http://www.miniclip.com/games/table-tennis-tournament/en/"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [MBMon] "c:\windows\system32\rundll32.exe" CTMBHA.DLL,MBMon
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [mspwr] "c:\windows\system32\PuXpMan.exe"
mRun: [PwrUpTweakMe] "c:\windows\system32\PuXpTwks.exe" /TWEAK
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRunOnce: [symPCCheckup] "c:\windows\system32\adobe\shockwave 11\symcheckupstub.exe" /reboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\steve\application data\leadertech\powerregister\Seagate 2GEWDKTE Product Registration.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5721/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\q4qr1euu.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-30 214024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-3-27 165160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-30 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-30 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-8-9 3585384]
R3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [2006-3-8 41600]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-30 40552]
S2 a2free;a-squared Free Service;"c:\docume~1\steve\locals~1\temp\rarsfx0\a2service.exe" --> c:\docume~1\steve\locals~1\temp\rarsfx0\a2service.exe [?]
S2 gupdate1c9d15bc777722c;Google Update Service (gupdate1c9d15bc777722c);c:\program files\google\update\GoogleUpdate.exe [2009-5-10 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-4-2 13224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-30 34248]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);c:\windows\system32\drivers\se44bus.sys [2008-8-8 61536]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;c:\windows\system32\drivers\se44mdfl.sys [2008-8-29 9360]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;c:\windows\system32\drivers\se44mdm.sys [2008-8-29 97088]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se44mgmt.sys [2008-8-8 88624]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;c:\windows\system32\drivers\se44obex.sys [2008-8-8 86432]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-7-20 90352]

=============== Created Last 30 ================

2009-08-30 22:28 <DIR> --d----- c:\program files\Seagate
2009-08-30 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-08-26 22:37 <DIR> --d----- c:\windows\McAfee.com
2009-08-26 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-08-26 22:10 61,224 a------- c:\documents and settings\steve\GoToAssistDownloadHelper.exe
2009-08-23 21:26 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-23 21:25 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-26 20:40 0 a------- c:\program files\F5U002 USB to Printer Adapter
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 20:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-16 12:32 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 15:59 25,512 a------- c:\windows\system32\drivers\ggsemc.sys
2009-07-14 15:59 13,224 a------- c:\windows\system32\drivers\ggflt.sys
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 20:42 6,615 a------- c:\windows\system32\uacinit.dll
2009-07-08 13:44 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 13:44 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 13:44 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 13:44 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 13:43 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 18:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 18:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 18:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 18:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 12:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-20 13:34 74,240 a------- c:\program files\l
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 13:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 15:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 07:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-04-12 18:42 5,840,696 a------- c:\program files\Firefox Setup 2.0.0.13.exe
2007-06-03 16:41 32 a----r-- c:\documents and settings\all users\hash.dat
2006-07-23 17:28 284 a------- c:\docume~1\steve\applic~1\ViewerApp.dat
2007-12-19 19:35 104 ---shr-- c:\windows\system32\6A19B34ED5.sys
2007-12-19 19:35 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-09 13:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050920090510\index.dat

============= FINISH: 8:39:06.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:02:16 PM

Posted 15 September 2009 - 10:35 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 16 September 2009 - 07:52 AM

Attached File  Attach.txt   8.43KB   10 downloadsHi thanks for getting back to me; yes I do still need your help.
The DDS log follows and the attach file is attached as requested.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Steve at 13:40:53.33 on 16/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.314 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\PuXpMan.exe
C:\DOCUME~1\Steve\LOCALS~1\Temp\clclean.0001
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mWinlogon: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {3EC8255F-E043-4cae-8B3B-B191550C2A22} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Shockwave Updater] "c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE" -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)" -"http://www.miniclip.com/games/table-tennis-tournament/en/"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [MBMon] "c:\windows\system32\rundll32.exe" CTMBHA.DLL,MBMon
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [mspwr] "c:\windows\system32\PuXpMan.exe"
mRun: [PwrUpTweakMe] "c:\windows\system32\PuXpTwks.exe" /TWEAK
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRunOnce: [symPCCheckup] "c:\windows\system32\adobe\shockwave 11\symcheckupstub.exe" /reboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5721/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\q4qr1euu.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-30 214024]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-3-27 165160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-30 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-30 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-8-9 3585384]
R3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [2006-3-8 41600]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-30 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-30 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-30 40552]
S2 a2free;a-squared Free Service;"c:\docume~1\steve\locals~1\temp\rarsfx0\a2service.exe" --> c:\docume~1\steve\locals~1\temp\rarsfx0\a2service.exe [?]
S2 gupdate1c9d15bc777722c;Google Update Service (gupdate1c9d15bc777722c);c:\program files\google\update\GoogleUpdate.exe [2009-5-10 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-4-2 13224]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);c:\windows\system32\drivers\se44bus.sys [2008-8-8 61536]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;c:\windows\system32\drivers\se44mdfl.sys [2008-8-29 9360]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;c:\windows\system32\drivers\se44mdm.sys [2008-8-29 97088]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se44mgmt.sys [2008-8-8 88624]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;c:\windows\system32\drivers\se44obex.sys [2008-8-8 86432]

=============== Created Last 30 ================

2009-09-09 18:41 19,968 a------- c:\windows\system32\kbiwkmrfqxjcbv.dll
2009-09-09 18:33 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-01 19:07 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-01 19:07 1,409 a------- c:\windows\QTFont.for
2009-08-30 22:28 <DIR> --d----- c:\program files\Seagate
2009-08-30 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seagate
2009-08-26 22:37 <DIR> --d----- c:\windows\McAfee.com
2009-08-26 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-08-26 22:10 61,224 a------- c:\documents and settings\steve\GoToAssistDownloadHelper.exe
2009-08-25 19:31 68 a------- c:\windows\system32\kbiwkmyixpspvg.dat
2009-08-25 19:21 20,480 a------- c:\windows\system32\kbiwkmxqmyrdsr.dll
2009-08-25 19:21 44,087 a------- c:\windows\system32\kbiwkmptqgwkxe.dat
2009-08-25 19:21 70,656 a------- c:\windows\system32\drivers\kbiwkmeotqdwoi.sys
2009-08-25 19:21 44,032 a------- c:\windows\system32\kbiwkmynayxmay.dll
2009-08-23 21:26 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-23 21:25 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-26 20:40 0 a------- c:\program files\F5U002 USB to Printer Adapter
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 20:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 20:42 6,615 a------- c:\windows\system32\uacinit.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 18:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 18:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 18:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 18:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 12:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 07:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2008-04-12 18:42 5,840,696 a------- c:\program files\Firefox Setup 2.0.0.13.exe
2007-06-03 16:41 32 a----r-- c:\documents and settings\all users\hash.dat
2006-07-23 17:28 284 a------- c:\docume~1\steve\applic~1\ViewerApp.dat
2007-12-19 19:35 104 ---shr-- c:\windows\system32\6A19B34ED5.sys
2007-12-19 19:35 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-09 13:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050920090510\index.dat

============= FINISH: 13:42:45.69 ===============

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 17 September 2009 - 12:17 AM

Hello Steve_SW,

My name is Syler and I will be helping you to solve your Malware issues.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM report
  • log.txt
  • info.txt
Thanks

unite.jpg


#5 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 17 September 2009 - 03:08 PM

Attached File  log.txt   40.62KB   4 downloadsAttached File  info.txt   32.88KB   8 downloads
Hi Syler,

Thanks for your help.

The MBAM report follows and I have attached the log.txt and info.txt file. Please let me know if you wanted these files copied and pasted instead.

Malwarebytes' Anti-Malware 1.41
Database version: 2816
Windows 5.1.2600 Service Pack 3

17/09/2009 17:36:41
mbam-log-2009-09-17 (17-36-41).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 223141
Time elapsed: 32 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\kbiwkmrfqxjcbv.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\kbiwkmrfqxjcbv.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmrfqxjcbv.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmxqmyrdsr.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmynayxmay.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmeotqdwoi.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\kbiwkmnhxspegoii.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmptqgwkxe.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmyixpspvg.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAClkxrtdccsfvrjomlt.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 18 September 2009 - 03:36 AM

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Thanks

unite.jpg


#7 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 18 September 2009 - 03:59 PM

Hi Syler,

I would like to clean the machine as an initial option but I do appreciate the need to re-format the computer due to the nature of this trojan.
Can you tell me the name of the trojan that my computer has been infected with?

For your information my McAfee Scan software is still detecting the original generic rootkit trojan.

I have tried running the GMER software; it gives the warning about the rootkit activity detected; when you tell it to scan after that the system crashes.
The blue screen says a problem has been detected and windows has been shut down to prevent damage to your computer. It refers to a file uftdypow.sys and says "An attempt was made to write to read only memory". It doesn't make any difference whether McAfee is running or not.

This is a copy of the log file up to the message about the rootkit:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-18 21:46:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\uftdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF64424EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF6442498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF64424AC]
Code 862DAB60 ZwEnumerateKey
Code 862D8C30 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF644252A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF6442470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF6442484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF64424FE]
Code 862CF526 ZwSaveKey
Code 862DFC56 ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF64424D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF64424C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF6442559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF6442540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF6442514]
Code 862CB8AE IofCallDriver
Code 862BDE86 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 862C7020
Device \Driver\Tcpip \Device\Ip 863840B0
Device \Driver\Tcpip \Device\Ip 85D2AB50
Device \Driver\Tcpip \Device\Ip 8659A928

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 862C7020
Device \Driver\Tcpip \Device\Tcp 863840B0
Device \Driver\Tcpip \Device\Tcp 85D2AB50
Device \Driver\Tcpip \Device\Tcp 8659A928

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 862C7020
Device \Driver\Tcpip \Device\Udp 863840B0
Device \Driver\Tcpip \Device\Udp 85D2AB50
Device \Driver\Tcpip \Device\Udp 8659A928

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 862C7020
Device \Driver\Tcpip \Device\RawIp 863840B0
Device \Driver\Tcpip \Device\RawIp 85D2AB50
Device \Driver\Tcpip \Device\RawIp 8659A928

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmeotqdwoi.sys (*** hidden *** ) [SYSTEM] kbiwkmkelnbppv <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 18 September 2009 - 04:22 PM

Hi Steve_SW,

You are still infected with with a TDSS Rootkit, we will run combofix next, make sure you that you disable your AntiVirus and AntiSpyware before running it.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

unite.jpg


#9 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 19 September 2009 - 06:08 AM

HI Syler,

I have run Combofix as requested. Here is the log:

ComboFix 09-09-18.02 - Steve 19/09/2009 11:11.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.548 [GMT 1:00]
Running from: c:\documents and settings\Steve\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve\Local Settings\Temporary Internet Files\2020RP_TempGeneratedImage.jpg
C:\setuplog.exe
c:\windows\desktop
c:\windows\desktop\FinePixViewer.lnk
c:\windows\kb913800.exe
c:\windows\system32\Data
c:\windows\system32\drivers\kbiwkmeotqdwoi.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\kbiwkmynayxmay.dll
c:\windows\system32\UACbrrjknarqtoihimlh.db
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmkelnbppv


((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-19 10:42 . 2009-09-19 10:42 -------- d-----w- c:\windows\LastGood
2009-09-17 19:34 . 2009-09-17 19:35 -------- d-----w- c:\program files\trend micro
2009-09-17 19:34 . 2009-09-17 19:38 -------- d-----w- C:\rsit
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-09-17 15:45 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-17 15:45 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-16 07:07 . 2009-09-16 07:07 91448 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 17:33 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\program files\Seagate
2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-08-30 21:25 . 2009-08-30 21:25 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Downloaded Installations
2009-08-26 21:37 . 2009-08-26 21:37 -------- d-----w- c:\windows\McAfee.com
2009-08-26 21:15 . 2009-08-26 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-08-26 21:10 . 2009-08-26 21:10 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Citrix
2009-08-26 21:10 . 2009-08-26 21:10 61224 ----a-w- c:\documents and settings\Steve\GoToAssistDownloadHelper.exe
2009-08-26 20:53 . 2009-08-26 20:53 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\beta
2009-08-23 20:25 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 17:36 . 2009-05-10 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-04 19:12 . 2009-07-20 18:28 -------- d-----w- c:\program files\PCPitstop
2009-09-04 19:11 . 2009-07-20 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-08-28 16:05 . 2006-03-01 10:26 -------- d-----w- c:\program files\McAfee
2009-08-26 21:10 . 2009-06-08 16:21 -------- d-----w- c:\program files\Citrix
2009-08-26 19:40 . 2009-08-26 19:40 0 ----a-w- c:\program files\F5U002 USB to Printer Adapter
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 11:32 . 2007-03-30 16:34 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 14:59 . 2009-04-02 19:58 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-07-14 14:59 . 2009-04-02 19:58 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 12:44 . 2007-03-30 16:34 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 12:44 . 2007-03-30 16:34 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 12:44 . 2007-03-30 16:34 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 12:44 . 2007-03-30 16:34 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 12:43 . 2007-03-30 16:34 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 17:09 . 2005-08-16 04:18 915456 ----a-w- c:\windows\system32\wininet.dll
2008-04-12 17:42 . 2008-04-12 17:41 5840696 ----a-w- c:\program files\Firefox Setup 2.0.0.13.exe
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-12-19 18:35 . 2006-03-07 19:55 104 --sh--r- c:\windows\system32\6A19B34ED5.sys
2007-12-19 18:35 . 2006-03-07 19:55 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-03 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-03 20:04 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"mspwr"="c:\windows\system32\PuXpMan.exe" [2004-06-12 102400]
"PwrUpTweakMe"="c:\windows\system32\PuXpTwks.exe" [2004-06-12 45056]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-09 645328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-08-28 234872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Family and Friends Reminders.LNK]
backup=c:\windows\pss\Corel Family and Friends Reminders.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mavis Beacon Teaches Typing Deluxe Version 11.lnk]
backup=c:\windows\pss\Mavis Beacon Teaches Typing Deluxe Version 11.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV6.lnk]
backup=c:\windows\pss\QuickTV6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Registration-Studio 8.lnk]
backup=c:\windows\pss\Registration-Studio 8.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/02/2009 17:36 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [09/08/2008 14:42 29808]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 15:54 165160]
R3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [08/03/2006 18:57 41600]
S2 gupdate1c9d15bc777722c;Google Update Service (gupdate1c9d15bc777722c);c:\program files\Google\Update\GoogleUpdate.exe [10/05/2009 11:40 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1029456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [02/04/2009 20:58 13224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:52]

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-23 10:39]

2009-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 10:40]

2007-03-29 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-29 20:26]

2007-03-29 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-29 20:26]

2009-09-19 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-08-28 13:26]

2008-09-03 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-09 15:04]

2008-09-03 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-09 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\q4qr1euu.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-svcWRSSSDK



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 11:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmkelnbppv]
"imagepath"="\systemroot\system32\drivers\kbiwkmeotqdwoi.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3371207585-3245593572-1689549433-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmkelnbppv]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmeotqdwoi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll

- - - - - - - > 'explorer.exe'(1448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Steve\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
.
**************************************************************************
.
Completion time: 2009-09-19 11:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-19 10:57

Pre-Run: 120,546,193,408 bytes free
Post-Run: 120,449,204,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /FASTDETECT

282 --- E O F --- 2009-09-09 19:28

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 20 September 2009 - 07:44 AM

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmkelnbppv]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#11 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 20 September 2009 - 04:00 PM

HI Syler,

I have re-run combofix as requested; had a lot of trouble stopping McAfee but got there in the end; the log follows:

ComboFix 09-09-18.02 - Steve 20/09/2009 18:04.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.590 [GMT 1:00]
Running from: c:\documents and settings\Steve\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Steve\LOCALS~1\Temp\clclean.0001.dir.0003\~df394b.tmp
c:\documents and settings\Steve\Local Settings\Temp\clclean.0001.dir.0003\~df394b.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmkelnbppv


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 17:34 . 2009-09-20 17:34 -------- d-----w- c:\windows\LastGood
2009-09-17 19:34 . 2009-09-17 19:35 -------- d-----w- c:\program files\trend micro
2009-09-17 19:34 . 2009-09-17 19:38 -------- d-----w- C:\rsit
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-09-17 15:45 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 15:45 . 2009-09-17 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-17 15:45 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-16 07:07 . 2009-09-16 07:07 91448 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 17:33 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\program files\Seagate
2009-08-30 21:28 . 2009-08-30 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-08-30 21:25 . 2009-08-30 21:25 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Downloaded Installations
2009-08-26 21:37 . 2009-08-26 21:37 -------- d-----w- c:\windows\McAfee.com
2009-08-26 21:15 . 2009-08-26 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-08-26 21:10 . 2009-08-26 21:10 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Citrix
2009-08-26 21:10 . 2009-08-26 21:10 61224 ----a-w- c:\documents and settings\Steve\GoToAssistDownloadHelper.exe
2009-08-26 20:53 . 2009-08-26 20:53 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\beta
2009-08-23 20:25 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 17:36 . 2009-05-10 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-04 19:12 . 2009-07-20 18:28 -------- d-----w- c:\program files\PCPitstop
2009-09-04 19:11 . 2009-07-20 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-08-28 16:05 . 2006-03-01 10:26 -------- d-----w- c:\program files\McAfee
2009-08-26 21:10 . 2009-06-08 16:21 -------- d-----w- c:\program files\Citrix
2009-08-26 19:40 . 2009-08-26 19:40 0 ----a-w- c:\program files\F5U002 USB to Printer Adapter
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 11:32 . 2007-03-30 16:34 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 14:59 . 2009-04-02 19:58 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-07-14 14:59 . 2009-04-02 19:58 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 12:44 . 2007-03-30 16:34 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 12:44 . 2007-03-30 16:34 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 12:44 . 2007-03-30 16:34 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 12:44 . 2007-03-30 16:34 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 12:43 . 2007-03-30 16:34 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 17:09 . 2005-08-16 04:18 915456 ------w- c:\windows\system32\wininet.dll
2008-04-12 17:42 . 2008-04-12 17:41 5840696 ----a-w- c:\program files\Firefox Setup 2.0.0.13.exe
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-12-19 18:35 . 2006-03-07 19:55 104 --sh--r- c:\windows\system32\6A19B34ED5.sys
2007-12-19 18:35 . 2006-03-07 19:55 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-03 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-03 20:04 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"mspwr"="c:\windows\system32\PuXpMan.exe" [2004-06-12 102400]
"PwrUpTweakMe"="c:\windows\system32\PuXpTwks.exe" [2004-06-12 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-08-28 234872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Family and Friends Reminders.LNK]
backup=c:\windows\pss\Corel Family and Friends Reminders.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mavis Beacon Teaches Typing Deluxe Version 11.lnk]
backup=c:\windows\pss\Mavis Beacon Teaches Typing Deluxe Version 11.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV6.lnk]
backup=c:\windows\pss\QuickTV6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Registration-Studio 8.lnk]
backup=c:\windows\pss\Registration-Studio 8.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/02/2009 17:36 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [09/08/2008 14:42 29808]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27/03/2009 15:54 165160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1029456]
R3 avera800;AVerMedia DVB-T BDA Video Capture(A800);c:\windows\system32\drivers\avera800.sys [08/03/2006 18:57 41600]
S2 gupdate1c9d15bc777722c;Google Update Service (gupdate1c9d15bc777722c);c:\program files\Google\Update\GoogleUpdate.exe [10/05/2009 11:40 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [02/04/2009 20:58 13224]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:52]

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-23 10:39]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 10:40]

2007-03-29 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-29 20:26]

2007-03-29 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-29 20:26]

2009-09-20 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-08-28 13:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\q4qr1euu.default\
FF - prefs.js: browser.search.selectedEngine - GoogIe
FF - prefs.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogIe
FF - user.js: keyword.URL - hxxp://www.tryff.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=YEApa99w&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3371207585-3245593572-1689549433-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll

- - - - - - - > 'explorer.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\docume~1\Steve\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
.
**************************************************************************
.
Completion time: 2009-09-20 18:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 17:50
ComboFix2.txt 2009-09-19 10:58

Pre-Run: 120,479,612,928 bytes free
Post-Run: 120,439,283,712 bytes free

246 --- E O F --- 2009-09-09 19:28

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 21 September 2009 - 01:18 AM

Hi Steve_SW,

Please let me no in your next reply how your computers is running and if their are any more problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Next

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

You have an outdated version of Adobe Reader, these have vulnerabilities that can be exploited by malware, to get in to your machine. Please follow these
steps to remove older versions of Adobe Reader and download the latest version.

Go to Start >> Settings >> Control Panel, double-click on Add/Remove Programs and remove any older versions of Adobe Reader.
  • Download the latest version of Adobe Acrobat Reader
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.
Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • Kaspersky report
  • New Rsit log
Thanks

unite.jpg


#13 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 23 September 2009 - 03:09 AM

Hi Syler,

I'm away on business for a couple of days so won't be able to post logs until Friday; but will definitely get back to you then.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:16 PM

Posted 23 September 2009 - 04:55 AM

No problem, thanks for letting me know :(

unite.jpg


#15 Steve_SW

Steve_SW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 25 September 2009 - 02:03 PM

Attached File  kaper.html   3.34KB   7 downloadsAttached File  log.txt   42.42KB   14 downloads
Hi Syler,

I have updated Java and Adobe as advised.

Attached are the Kapersky report and RSIT log as requested.

Computer seems to be running okay.

My McAfee scan has found no viruses, but Kapersky has identified three infected.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users