Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Essentials 2010


  • This topic is locked This topic is locked
28 replies to this topic

#1 Foneman38

Foneman38

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 23 February 2010 - 04:58 PM

I am posting these logs here as instructed by "boopme". Topic referenced is here: http://www.bleepingcomputer.com/forums/t/297225/security-essentials-2010-help/ ~ OB

I have gone through the removal steps to remove Security Essentials 2010, and the computer is mostly back to normal. Now I get random IE windows opening up to various search engines and I am unable to install XP SP3 with the following error message:
"The file c:\windows\system32\SERVICES.EXE is in use by another application". I need help finding the last remnants of this infection.
Thanks.

DDS Log:


DDS (Ver_09-12-01.01) - FAT32x86
Run by Ellis at 16:42:41.17 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.366 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ellis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [EPM-DM] c:\acer\empowering technology\epower\epm-dm.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Rtolejataza] rundll32.exe "c:\windows\ukusetube.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: GlmWCGyfVAvE - {1D0F11D6-B7A5-BB7C-6DE4-4D8C581D8BBD} - c:\windows\system32\zwtib.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-19 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-19 56816]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 CATLNKNT;CATLNKNT;c:\windows\system32\drivers\CATLNKNT.SYS [2007-1-8 23712]
R2 DLADRVNT;DLADRVNT;c:\windows\system32\drivers\DLADRVNT.SYS [2007-1-8 32832]
R2 DLASIPNT;DLASIPNT;c:\windows\system32\drivers\DLASIPNT.SYS [2007-1-8 82752]
R2 J1708NT;J1708NT;c:\windows\system32\drivers\J1708NT.SYS [2007-1-8 23296]
R2 J1939NT;J1939NT;c:\windows\system32\drivers\J1939NT.SYS [2007-1-8 24320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCSMHNT;PCSMHNT;c:\windows\system32\drivers\PCSMHNT.SYS [2007-1-8 40000]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-19 11608]
S2 CANNT;CANNT; [x]
S2 PARCAII;PARCAII;c:\windows\system32\drivers\PARCAII.SYS [2007-1-8 14602]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-10-5 32512]

=============== Created Last 30 ================

2010-02-23 21:41:56 0 ----a-w- c:\documents and settings\ellis\defogger_reenable
2010-02-20 18:15:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-02-20 18:15:10 0 d-----w- c:\program files\Security Task Manager
2010-02-20 15:50:41 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 15:21:03 0 d-----w- c:\program files\Trend Micro
2010-02-20 14:54:31 0 d-----w- c:\program files\CCleaner
2010-02-20 00:01:25 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-20 00:01:24 0 d-----w- c:\program files\Avira
2010-02-20 00:01:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-02-18 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-18 02:39:25 0 d-----w- c:\docume~1\ellis\applic~1\SUPERAntiSpyware.com
2010-02-18 02:34:01 0 d-----w- c:\docume~1\ellis\applic~1\Malwarebytes
2010-02-18 02:05:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 02:05:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 02:05:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 02:05:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-18 02:03:40 120 ----a-w- c:\windows\Tromihikiciluci.dat
2010-02-18 02:03:40 0 ----a-w- c:\windows\Ipupuxidi.bin
2010-02-18 01:59:38 0 d-sh--w- C:\FOUND.003
2010-02-18 01:45:33 0 d-----w- c:\windows\pss
2010-02-18 01:39:24 0 d-sh--w- C:\FOUND.002
2010-02-18 00:21:18 0 d-----w- c:\docume~1\ellis\applic~1\AVG8
2010-02-17 12:47:18 0 d-sh--w- C:\FOUND.001
2010-02-17 08:44:27 0 ----a-w- c:\windows\system32\26500.exe
2010-02-17 08:24:24 0 ----a-w- c:\windows\system32\6334.exe
2010-02-17 08:04:19 0 ----a-w- c:\windows\system32\18467.exe
2010-02-17 07:44:21 564 ----a-w- C:\Security essentials 2010.lnk
2010-02-17 07:43:35 1 ----a-w- C:\s
2010-02-14 17:52:48 0 d-sh--w- c:\documents and settings\ellis\IECompatCache
2010-02-14 17:52:15 0 d-sh--w- c:\documents and settings\ellis\PrivacIE
2010-02-14 17:50:57 0 d-sh--w- c:\documents and settings\ellis\IETldCache
2010-02-14 17:44:42 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 17:44:18 0 d-----w- c:\windows\ie8updates
2010-02-14 17:44:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-14 17:44:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-14 17:44:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 17:44:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-14 17:44:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 17:44:08 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-14 17:42:36 0 d--h--w- c:\windows\ie8

==================== Find3M ====================

2010-02-23 02:04:50 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-23 02:04:50 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-22 05:35:10 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:35:06 55808 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-22 05:35:06 1054208 ----a-w- c:\windows\system32\dllcache\danim.dll
2009-12-22 05:35:04 151040 ----a-w- c:\windows\system32\dllcache\cdfview.dll
2009-12-22 05:35:04 1024000 ----a-w- c:\windows\system32\dllcache\browseui.dll
2009-12-21 19:14:06 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:06 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:06 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:04 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 13:35:58 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:36 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:36 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55:26 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:55:26 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:19:32 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 08:59:48 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:56 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:04:16 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:04:16 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:04:16 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:04:16 1291776 ----a-w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:37:28 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:28 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:28 84992 ----a-w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:28 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:28 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:28 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:28 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:28 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:28 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37:28 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll

============= FINISH: 16:43:37.59 ===============

Attached Files


Edited by Orange Blossom, 23 February 2010 - 05:26 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 05:52 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

unite.jpg


#3 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 06:40 PM

Every time I try to run the scan, it hangs while scanning msconfig settings. What should i do?

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 06:43 PM

Try running this instead.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 07:38 PM

ComboFix 10-02-25.02 - Ellis 02/25/2010 19:28:37.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.620 [GMT -5:00]
Running from: c:\documents and settings\Ellis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\srchasst\nls302en.lex
.
---- Previous Run -------
.
c:\documents and settings\Administrator\Local Settings\Application Data\{7A0C3636-6FAE-458D-B38D-591BFBE1E2CE}
c:\documents and settings\Administrator\Local Settings\Application Data\{7A0C3636-6FAE-458D-B38D-591BFBE1E2CE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{7A0C3636-6FAE-458D-B38D-591BFBE1E2CE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{7A0C3636-6FAE-458D-B38D-591BFBE1E2CE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{7A0C3636-6FAE-458D-B38D-591BFBE1E2CE}\install.rdf
c:\documents and settings\Ellis\Local Settings\Application Data\{DA6D651C-0BB8-42A8-8679-5FA6607E3D2F}
c:\documents and settings\Ellis\Local Settings\Application Data\{DA6D651C-0BB8-42A8-8679-5FA6607E3D2F}\chrome.manifest
c:\documents and settings\Ellis\Local Settings\Application Data\{DA6D651C-0BB8-42A8-8679-5FA6607E3D2F}\chrome\content\_cfg.js
c:\documents and settings\Ellis\Local Settings\Application Data\{DA6D651C-0BB8-42A8-8679-5FA6607E3D2F}\chrome\content\overlay.xul
c:\documents and settings\Ellis\Local Settings\Application Data\{DA6D651C-0BB8-42A8-8679-5FA6607E3D2F}\install.rdf
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
C:\s
c:\windows\setup.exe
c:\windows\srchasst\nls302en.lex
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\kr_done1
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 00:16 . 2010-02-26 00:16 -------- d-----w- C:\FOUND.004
2010-02-24 12:07 . 2010-02-24 12:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-20 15:50 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 15:50 . 2010-02-20 15:50 -------- d-----w- c:\program files\Windows Defender
2010-02-20 15:21 . 2010-02-20 15:21 -------- d-----w- c:\program files\Trend Micro
2010-02-20 14:54 . 2010-02-20 14:54 -------- d-----w- c:\program files\CCleaner
2010-02-20 05:09 . 2010-02-20 05:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-20 00:01 . 2010-02-22 06:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-18 02:39 . 2010-02-18 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-18 02:39 . 2010-02-18 02:39 -------- d-----w- c:\documents and settings\Ellis\Application Data\SUPERAntiSpyware.com
2010-02-18 02:34 . 2010-02-18 02:34 -------- d-----w- c:\documents and settings\Ellis\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 02:03 . 2010-02-23 01:32 120 ----a-w- c:\windows\Tromihikiciluci.dat
2010-02-18 02:03 . 2010-02-23 01:32 0 ----a-w- c:\windows\Ipupuxidi.bin
2010-02-18 02:00 . 2010-02-18 02:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-18 02:00 . 2010-02-18 02:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-18 01:59 . 2010-02-18 01:59 -------- d-----w- C:\FOUND.003
2010-02-18 01:39 . 2010-02-18 01:39 -------- d-----w- C:\FOUND.002
2010-02-18 00:21 . 2010-02-18 00:21 -------- d-----w- c:\documents and settings\Ellis\Application Data\AVG8
2010-02-17 14:29 . 2010-02-17 14:29 -------- d-----w- c:\documents and settings\Shop\Application Data\eAcceleration
2010-02-17 14:29 . 2010-02-17 14:29 -------- d-sh--w- c:\documents and settings\Shop\IETldCache
2010-02-17 12:47 . 2010-02-17 12:47 -------- d-----w- C:\FOUND.001
2010-02-17 08:42 . 2010-02-17 08:42 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-17 08:42 . 2010-02-17 08:42 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-17 08:41 . 2010-02-17 08:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-17 07:43 . 2010-02-17 07:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-17 07:01 . 2010-02-17 07:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-17 05:33 . 2010-02-17 05:33 3519152 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\DriverCure Installer.exe
2010-02-15 03:18 . 2010-02-15 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-14 17:52 . 2010-02-14 17:52 -------- d-sh--w- c:\documents and settings\Ellis\IECompatCache
2010-02-14 17:52 . 2010-02-14 17:52 -------- d-sh--w- c:\documents and settings\Ellis\PrivacIE
2010-02-14 17:51 . 2010-02-14 17:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-14 17:50 . 2010-02-14 17:50 -------- d-sh--w- c:\documents and settings\Ellis\IETldCache
2010-02-14 17:44 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 17:44 . 2010-02-14 17:44 -------- d-----w- c:\windows\ie8updates
2010-02-14 17:44 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 17:44 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-14 17:44 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-14 17:44 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 17:44 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-14 17:44 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-14 17:42 . 2010-02-14 17:42 -------- d--h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 19:43 . 2006-10-21 22:43 41880 ----a-w- c:\documents and settings\Ellis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 02:04 . 2004-08-11 01:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-17 14:30 . 2009-01-14 13:52 41880 ----a-w- c:\documents and settings\Shop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-14 16:41 . 2006-10-05 11:41 128 ----a-w- c:\documents and settings\Ellis\Local Settings\Application Data\fusioncache.dat
2009-12-31 16:14 . 2004-08-11 01:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-01-09 16:08 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-11 01:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-11 01:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-11 01:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-11 01:00 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-11 01:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.3520] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
[7] 2004-08-11 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
[7] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-11 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[7] 2004-08-11 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 506368 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . D41D8CD98F00B204E9800998ECF8427E . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2004-08-11 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 692315]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 212992]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GlmWCGyfVAvE"= {1D0F11D6-B7A5-BB7C-6DE4-4D8C581D8BBD} - c:\windows\system32\zwtib.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Caterpillar Inc\\SIS\\search\\ssjs.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Caterpillar Inc\\SIS\\jre\\bin\\java.exe"=

R2 CATLNKNT;CATLNKNT;c:\windows\system32\drivers\CATLNKNT.SYS [1/8/2007 3:20 PM 23712]
R2 DLADRVNT;DLADRVNT;c:\windows\system32\drivers\DLADRVNT.SYS [1/8/2007 3:20 PM 32832]
R2 DLASIPNT;DLASIPNT;c:\windows\system32\drivers\DLASIPNT.SYS [1/8/2007 3:20 PM 82752]
R2 J1708NT;J1708NT;c:\windows\system32\drivers\J1708NT.SYS [1/8/2007 3:20 PM 23296]
R2 J1939NT;J1939NT;c:\windows\system32\drivers\J1939NT.SYS [1/8/2007 3:20 PM 24320]
R2 PCSMHNT;PCSMHNT;c:\windows\system32\drivers\PCSMHNT.SYS [1/8/2007 3:20 PM 40000]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 CANNT;CANNT; [x]
S2 PARCAII;PARCAII;c:\windows\system32\drivers\PARCAII.SYS [1/8/2007 3:20 PM 14602]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Rtolejataza - c:\windows\ukusetube.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 19:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\24.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\¨ }*2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-25 19:37:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 00:37

Pre-Run: 40,861,990,912 bytes free
Post-Run: 40,815,460,352 bytes free

- - End Of File - - 4C2A64E2FE9A82D24239626A063248EE


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 07:52 PM

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    atapi.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Then please post back with both logs.

unite.jpg


#7 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 07:58 PM

mbr.log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


systemlook.txt:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:56 on 25/02/2010 by Ellis (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [03:59 04/08/2004] [03:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\I386\ATAPI.SY_ --a--- 49558 bytes [01:00 11/08/2004] [01:00 11/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir --a--- 95360 bytes [01:00 11/08/2004] [02:04 23/02/2010] 549137D98EE9F0C221AA2159ECB8A917
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [00:36 26/02/2010] [02:04 23/02/2010] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys --a--- 96512 bytes [14:29 08/04/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 95360 bytes [01:00 11/08/2004] [02:04 23/02/2010] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [01:00 11/08/2004] [02:04 23/02/2010] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys --a--- 95360 bytes [03:59 04/08/2004] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 08:10 PM

Can you tell me in your next reply if you are still having any issues like popups, redirects, error messages, do not try updating to
SP3 yet though, we need to make sure your clean first.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/298039/security-essentials-2010/

Collect::
c:\windows\Tromihikiciluci.dat
c:\windows\Ipupuxidi.bin
c:\windows\system32\zwtib.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GlmWCGyfVAvE"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 08:23 PM

No unusual activity so far thumbup.gif


ComboFix 10-02-25.02 - Ellis 02/25/2010 20:13:16.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.621 [GMT -5:00]
Running from: c:\documents and settings\Ellis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ellis\Desktop\CFScript.txt

file zipped: c:\windows\Tromihikiciluci.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ipupuxidi.bin
c:\windows\Tromihikiciluci.dat
c:\windows\system32\zwtib.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 00:16 . 2010-02-26 00:16 -------- d-----w- C:\FOUND.004
2010-02-24 12:07 . 2010-02-24 12:07 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-20 15:50 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 15:50 . 2010-02-20 15:50 -------- d-----w- c:\program files\Windows Defender
2010-02-20 15:21 . 2010-02-20 15:21 -------- d-----w- c:\program files\Trend Micro
2010-02-20 14:54 . 2010-02-20 14:54 -------- d-----w- c:\program files\CCleaner
2010-02-20 05:09 . 2010-02-20 05:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-20 00:01 . 2010-02-22 06:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-18 02:39 . 2010-02-18 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-18 02:39 . 2010-02-18 02:39 -------- d-----w- c:\documents and settings\Ellis\Application Data\SUPERAntiSpyware.com
2010-02-18 02:34 . 2010-02-18 02:34 -------- d-----w- c:\documents and settings\Ellis\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 02:05 . 2010-02-18 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-18 02:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 02:00 . 2010-02-18 02:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-18 02:00 . 2010-02-18 02:00 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-18 01:59 . 2010-02-18 01:59 -------- d-----w- C:\FOUND.003
2010-02-18 01:39 . 2010-02-18 01:39 -------- d-----w- C:\FOUND.002
2010-02-18 00:21 . 2010-02-18 00:21 -------- d-----w- c:\documents and settings\Ellis\Application Data\AVG8
2010-02-17 14:29 . 2010-02-17 14:29 -------- d-----w- c:\documents and settings\Shop\Application Data\eAcceleration
2010-02-17 14:29 . 2010-02-17 14:29 -------- d-sh--w- c:\documents and settings\Shop\IETldCache
2010-02-17 12:47 . 2010-02-17 12:47 -------- d-----w- C:\FOUND.001
2010-02-17 08:42 . 2010-02-17 08:42 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-17 08:42 . 2010-02-17 08:42 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-17 08:41 . 2010-02-17 08:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-17 07:43 . 2010-02-17 07:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-17 07:01 . 2010-02-17 07:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-17 05:33 . 2010-02-17 05:33 3519152 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\DriverCure Installer.exe
2010-02-15 03:18 . 2010-02-15 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-14 17:52 . 2010-02-14 17:52 -------- d-sh--w- c:\documents and settings\Ellis\IECompatCache
2010-02-14 17:52 . 2010-02-14 17:52 -------- d-sh--w- c:\documents and settings\Ellis\PrivacIE
2010-02-14 17:51 . 2010-02-14 17:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-14 17:50 . 2010-02-14 17:50 -------- d-sh--w- c:\documents and settings\Ellis\IETldCache
2010-02-14 17:44 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 17:44 . 2010-02-14 17:44 -------- d-----w- c:\windows\ie8updates
2010-02-14 17:44 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 17:44 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-14 17:44 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-14 17:44 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 17:44 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-14 17:44 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-14 17:42 . 2010-02-14 17:42 -------- d--h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 19:43 . 2006-10-21 22:43 41880 ----a-w- c:\documents and settings\Ellis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 02:04 . 2004-08-11 01:00 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-17 14:30 . 2009-01-14 13:52 41880 ----a-w- c:\documents and settings\Shop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-14 16:41 . 2006-10-05 11:41 128 ----a-w- c:\documents and settings\Ellis\Local Settings\Application Data\fusioncache.dat
2009-12-31 16:14 . 2004-08-11 01:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-01-09 16:08 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-11 01:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-11 01:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-11 01:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-11 01:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-11 01:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.3520] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
[7] 2004-08-11 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
[7] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-11 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[7] 2004-08-11 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 506368 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
[-] 2004-08-11 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 692315]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 212992]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GlmWCGyfVAvE"= {1D0F11D6-B7A5-BB7C-6DE4-4D8C581D8BBD} - c:\windows\system32\zwtib.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Caterpillar Inc\\SIS\\search\\ssjs.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Caterpillar Inc\\SIS\\jre\\bin\\java.exe"=

R2 CATLNKNT;CATLNKNT;c:\windows\system32\drivers\CATLNKNT.SYS [1/8/2007 3:20 PM 23712]
R2 DLADRVNT;DLADRVNT;c:\windows\system32\drivers\DLADRVNT.SYS [1/8/2007 3:20 PM 32832]
R2 DLASIPNT;DLASIPNT;c:\windows\system32\drivers\DLASIPNT.SYS [1/8/2007 3:20 PM 82752]
R2 J1708NT;J1708NT;c:\windows\system32\drivers\J1708NT.SYS [1/8/2007 3:20 PM 23296]
R2 J1939NT;J1939NT;c:\windows\system32\drivers\J1939NT.SYS [1/8/2007 3:20 PM 24320]
R2 PCSMHNT;PCSMHNT;c:\windows\system32\drivers\PCSMHNT.SYS [1/8/2007 3:20 PM 40000]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 CANNT;CANNT; [x]
S2 PARCAII;PARCAII;c:\windows\system32\drivers\PARCAII.SYS [1/8/2007 3:20 PM 14602]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 20:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\24.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\¨ }*2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\system32\crypserv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-25 20:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 01:20
ComboFix2.txt 2010-02-26 00:37

Pre-Run: 40,830,533,632 bytes free
Post-Run: 40,786,886,656 bytes free

- - End Of File - - 2B2F837582670F0D597148D65E367ECF
Upload was successful


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 08:33 PM

Still something hanging on there though, can you run another Gmer scan as you did in your first post, thanks.

unite.jpg


#11 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 08:44 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-25 20:43:26
Windows 5.1.2600 Service Pack 2
Running: o2yx548l.exe; Driver: C:\DOCUME~1\Ellis\LOCALS~1\Temp\kxniipoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

---- EOF - GMER 1.0.15 ----


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 25 February 2010 - 09:50 PM

I just wanted you to know I have asked some other people to take a look at your logs, as soon as I have some instructions
I will get back to you, but please don't make any changes in the mean time.

unite.jpg


#13 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 25 February 2010 - 09:50 PM

Ok. I sure appreciate all of your help.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:32 AM

Posted 26 February 2010 - 04:47 PM

Hi Foneman38,

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Files to delete:
c:\windows\system32\zwtib.dll
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | GlmWCGyfVAvE


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
  • Avenger will Restart your computer, after the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt


Please post the avenger log along with a new DDS log.

Thanks

unite.jpg


#15 Foneman38

Foneman38
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 26 February 2010 - 09:31 PM


DDS (Ver_09-12-01.01) - FAT32x86
Run by Ellis at 21:29:57.81 on Fri 02/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.557 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
SVCHOST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ellis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [EPM-DM] c:\acer\empowering technology\epower\epm-dm.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 CATLNKNT;CATLNKNT;c:\windows\system32\drivers\CATLNKNT.SYS [2007-1-8 23712]
R2 DLADRVNT;DLADRVNT;c:\windows\system32\drivers\DLADRVNT.SYS [2007-1-8 32832]
R2 DLASIPNT;DLASIPNT;c:\windows\system32\drivers\DLASIPNT.SYS [2007-1-8 82752]
R2 J1708NT;J1708NT;c:\windows\system32\drivers\J1708NT.SYS [2007-1-8 23296]
R2 J1939NT;J1939NT;c:\windows\system32\drivers\J1939NT.SYS [2007-1-8 24320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCSMHNT;PCSMHNT;c:\windows\system32\drivers\PCSMHNT.SYS [2007-1-8 40000]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 CANNT;CANNT; [x]
S2 PARCAII;PARCAII;c:\windows\system32\drivers\PARCAII.SYS [2007-1-8 14602]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\24.tmp --> c:\windows\system32\24.tmp [?]

=============== Created Last 30 ================

2010-02-26 00:16:14 0 d-----w- C:\FOUND.004
2010-02-25 23:57:02 0 d-sha-r- C:\cmdcons
2010-02-25 23:55:25 98816 ----a-w- c:\windows\sed.exe
2010-02-25 23:55:25 77312 ----a-w- c:\windows\MBR.exe
2010-02-25 23:55:25 261632 ----a-w- c:\windows\PEV.exe
2010-02-25 23:55:25 161792 ----a-w- c:\windows\SWREG.exe
2010-02-23 21:41:56 0 ----a-w- c:\documents and settings\ellis\defogger_reenable
2010-02-20 18:15:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-02-20 18:15:10 0 d-----w- c:\program files\Security Task Manager
2010-02-20 15:50:41 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 15:21:03 0 d-----w- c:\program files\Trend Micro
2010-02-20 14:54:31 0 d-----w- c:\program files\CCleaner
2010-02-20 00:01:25 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-18 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-18 02:39:25 0 d-----w- c:\docume~1\ellis\applic~1\SUPERAntiSpyware.com
2010-02-18 02:34:01 0 d-----w- c:\docume~1\ellis\applic~1\Malwarebytes
2010-02-18 02:05:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-18 02:05:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 02:05:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 02:05:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-18 01:59:38 0 d-----w- C:\FOUND.003
2010-02-18 01:45:33 0 d-----w- c:\windows\pss
2010-02-18 01:39:24 0 d-----w- C:\FOUND.002
2010-02-18 00:21:18 0 d-----w- c:\docume~1\ellis\applic~1\AVG8
2010-02-17 12:47:18 0 d-----w- C:\FOUND.001
2010-02-17 07:44:21 564 ----a-w- C:\Security essentials 2010.lnk
2010-02-14 17:52:48 0 d-sh--w- c:\documents and settings\ellis\IECompatCache
2010-02-14 17:52:15 0 d-sh--w- c:\documents and settings\ellis\PrivacIE
2010-02-14 17:50:57 0 d-sh--w- c:\documents and settings\ellis\IETldCache
2010-02-14 17:44:42 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 17:44:18 0 d-----w- c:\windows\ie8updates
2010-02-14 17:44:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-14 17:44:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-14 17:44:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 17:44:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-14 17:44:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 17:44:08 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-14 17:42:36 0 d--h--w- c:\windows\ie8

==================== Find3M ====================

2010-02-23 02:04:50 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-02-23 02:04:50 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-22 05:35:10 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:35:06 55808 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-22 05:35:06 1054208 ----a-w- c:\windows\system32\dllcache\danim.dll
2009-12-22 05:35:04 151040 ----a-w- c:\windows\system32\dllcache\cdfview.dll
2009-12-22 05:35:04 1024000 ----a-w- c:\windows\system32\dllcache\browseui.dll
2009-12-21 19:14:06 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 19:14:06 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:06 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:04 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 13:35:58 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:36 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:35:36 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 18:55:26 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:55:26 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 08:59:48 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:56 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys

============= FINISH: 21:30:24.65 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users