Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack log. need a hand goin bonkers.


  • This topic is locked This topic is locked
18 replies to this topic

#1 ericmpoyner

ericmpoyner

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 07 March 2010 - 12:51 AM

New to using hijack log. Need a hang cleaning up computer that my brother has given me. Just need to find out what malware or spyware i need to remove. Ive taken a look at it and it looks like there is all sorts of different virus programs partially installed on here.Currently have windows xp with avast antivirus. any help on getting this cleaned up is greatly appreciated. thanks again.Also getting redirected when i do a search and having pop up go nuts. ill be using firefox and ie will be havin pop ups goin off.have a trial version of malewarebytes installed and run that and it says it removed some but it still goin on.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:12 PM, on 3/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
O2 - BHO: (no name) - {01E98BDA-2EC6-4E61-BA57-ECE6783951F8} - C:\WINDOWS\System32\iassvcs32.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100228113411.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231720111183
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - Unknown owner - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

--
End of file - 5981 bytes




Thanks once again.

Edited by ericmpoyner, 07 March 2010 - 01:40 AM.


BC AdBot (Login to Remove)

 


#2 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 07 March 2010 - 01:58 PM

Hello,
Last couple of days I have been having problems with firefox redirecting when i perform a search along with multiple pop ups. If I'm using firefox then IE pops up and vice versa. Firefox and IE are also extremely slow, freeze up and my computer has even just shut down and restarted.

Currently I have Avast antivirus and a trial version of malwarebytes. I have run avast, malwarebytes microsoft malicious program removal tool and bitdefender online scan and still have problems persisting.

Thanks for your help, it is GREATLY appreciated.




DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 1:12:18.12 on Sun 03/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.154 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = yahoo.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: H - No File
BHO: {01e98bda-2ec6-4e61-ba57-ece6783951f8} - c:\windows\system32\iassvcs32.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100228113411.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231720111183
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4rsdwrwn.default\
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4rsdwrwn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4rsdwrwn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-4 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-4 19024]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-28 170144]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-28 141792]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-24 30104]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-28 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-28 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-28 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-10 88480]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
S2 AGWinService;AG Windows Service;c:\program files\agi\common\win32\pythonservice.exe [2009-1-11 10240]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]
S2 AVGIDSAgent;AVG9IDSAgent;"c:\program files\avg\avg9\identity protection\agent\bin\avgidsagent.exe" avgidsagent --> c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-24 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-10 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-28 83496]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-03-07 08:08:22 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-07 07:47:07 0 d-----w- C:\Hjt
2010-03-07 05:18:50 0 d-----w- c:\program files\Trend Micro
2010-03-07 01:19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 01:19:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 01:19:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 23:56:42 0 d-----w- c:\docume~1\admini~1\applic~1\SuperAdBlocker.com
2010-03-06 23:56:04 0 d-----w- c:\windows\system32\URTTemp
2010-03-06 23:01:55 31 ----a-w- c:\windows\system32\30109e98
2010-03-06 22:18:57 0 d-----w- c:\windows\pss
2010-03-06 20:18:34 1402 --sha-w- c:\windows\system32\817940943
2010-03-06 20:18:27 817 ----a-w- c:\windows\system32\1620089247
2010-03-06 20:16:34 203776 --sh--w- c:\windows\system32\unrar.exe
2010-03-06 20:16:34 0 d-----w- c:\windows\system32\1386413816
2010-03-06 20:16:10 0 ----a-w- c:\windows\system32\5b274a06
2010-03-06 20:16:08 0 d-sh--w- C:\System Volume Data
2010-03-05 04:48:23 0 d-----w- c:\docume~1\admini~1\applic~1\QuickScan
2010-03-04 21:11:48 0 d-----w- c:\program files\VS Revo Group
2010-03-04 09:11:18 0 d-----w- c:\documents and settings\administrator\.bh_gui
2010-03-04 09:09:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SRI
2010-03-04 07:05:07 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-02 20:42:59 0 d-----w- c:\docume~1\admini~1\applic~1\TuneUp Software
2010-03-02 20:41:35 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-02-28 19:22:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-28 18:34:08 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-28 18:33:54 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-28 18:33:54 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-28 18:33:54 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-28 18:33:54 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-28 18:33:23 0 d-----w- c:\program files\common files\Mcafee
2010-02-25 03:37:58 0 d-----w- c:\program files\MSECACHE
2010-02-25 03:15:29 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-24 00:24:18 46 ----a-w- c:\windows\system32\_WKERNEL.FRE
2010-02-24 00:18:00 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-24 00:18:00 544768 ----a-w- c:\windows\system32\wbocx.ocx
2010-02-24 00:17:59 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-02-24 00:17:59 33968 ----a-w- c:\windows\system32\anim.dll
2010-02-24 00:17:59 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-02-24 00:17:59 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-24 00:17:58 439 ----a-w- c:\windows\system32\shfolder.inf
2010-02-23 21:25:46 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-23 21:25:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-23 20:45:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-23 12:32:22 0 d-----w- c:\docume~1\admini~1\applic~1\AVG8
2010-02-23 07:38:44 0 d-----w- c:\docume~1\admini~1\applic~1\McAfee
2010-02-10 08:34:35 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 06:41:22 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-10 06:40:46 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2010-02-03 18:25:58 74703 ----a-w- c:\windows\system32\mfc45.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 1:13:32.93 ===============






Here is a copy of my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:48 AM, on 3/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
O2 - BHO: (no name) - {01E98BDA-2EC6-4E61-BA57-ECE6783951F8} - C:\WINDOWS\System32\iassvcs32.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100228113411.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231720111183
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - Unknown owner - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

--
End of file - 5993 bytes


Thanks again

Attached Files


Edited by Orange Blossom, 07 March 2010 - 02:46 PM.
Merged topics. ~ OB


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 09 March 2010 - 07:29 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

unite.jpg


#4 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 March 2010 - 05:15 PM

Hello,
Installed combofix as instructed. Started to do the scan and my computer bluescreened and said: a problem has been detected and windows has been shut down to prevent damage to your computer.
BAD_POOL_CALLER

where should I go from here?
Thanks once again for your help.

#5 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 March 2010 - 06:12 PM

soon after I sent my previous reply to you, qwest locked my internet. they said i have a torpig and mebroot infections. if i disable my avast av to run combo fix then they will lock my net connection and delete my account. is there a way to do this to where my net wont be locked and my account cancelled ?
thanks

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 11 March 2010 - 06:25 PM

That's a bit harsh, but atleast they identified the malware for me thumbup2.gif

Try booting into safe mode and running it.

unite.jpg


#7 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 11 March 2010 - 07:25 PM

ok got it to run in safe mode. Heres the log:


ComboFix 10-03-11.02 - Administrator 03/11/2010 16:48:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.180 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\02000000b899b237839C.manifest
c:\documents and settings\Administrator\Application Data\02000000b899b237839O.manifest
c:\documents and settings\Administrator\Application Data\02000000b899b237839P.manifest
c:\documents and settings\Administrator\Application Data\02000000b899b237839S.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e765e83d-7c60-4e74-8eb1-769d298b0146}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e765e83d-7c60-4e74-8eb1-769d298b0146}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e765e83d-7c60-4e74-8eb1-769d298b0146}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e765e83d-7c60-4e74-8eb1-769d298b0146}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e765e83d-7c60-4e74-8eb1-769d298b0146}\install.rdf
c:\windows\system32\1386413816
c:\windows\system32\drivers\fad.sys
c:\windows\system32\unrar.exe

c:\windows\system32\Drivers\atapi.svs . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))
.

2010-03-10 12:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 05:30 . 2010-03-08 05:30 -------- d-----w- c:\documents and settings\HelpAssistant\Application DataComodoGroup
2010-03-08 05:20 . 2010-03-08 05:20 -------- d-----w- c:\documents and settings\Administrator\Application DataComodoGroup
2010-03-08 05:16 . 2010-03-08 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\ComodoGroup
2010-03-08 05:14 . 2010-03-08 05:14 -------- d-----w- c:\program files\COMODO
2010-03-07 07:47 . 2010-03-07 07:52 -------- d-----w- C:\Hjt
2010-03-07 05:18 . 2010-03-07 05:18 -------- d-----w- c:\program files\Trend Micro
2010-03-07 01:19 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 01:19 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 01:19 . 2010-03-07 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SuperAdBlocker.com
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\windows\system32\URTTemp
2010-03-06 20:16 . 2010-03-06 20:16 -------- d-----w- C:\System Volume Data
2010-03-06 18:48 . 2010-03-06 18:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-05 04:48 . 2010-03-11 23:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2010-03-04 21:11 . 2010-03-04 21:11 -------- d-----w- c:\program files\VS Revo Group
2010-03-04 09:33 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-04 09:33 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-04 09:33 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-04 09:33 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-04 09:33 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-04 09:33 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-04 09:33 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-04 09:31 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-04 09:31 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-04 09:25 . 2010-03-04 09:25 -------- d-----w- c:\documents and settings\HelpAssistant\.bh_gui
2010-03-04 09:11 . 2010-03-04 09:14 -------- d-----w- c:\documents and settings\Administrator\.bh_gui
2010-03-04 09:09 . 2010-03-04 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SRI
2010-03-04 07:05 . 2010-03-04 07:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-02 20:42 . 2010-03-02 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2010-03-02 20:41 . 2010-03-02 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-28 19:22 . 2010-03-04 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-28 19:22 . 2010-02-28 19:22 -------- d-----w- c:\program files\Alwil Software
2010-02-28 18:34 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-28 18:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-28 18:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-28 18:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-28 18:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-28 18:33 . 2010-02-28 18:33 -------- d-----w- c:\program files\Common Files\Mcafee
2010-02-25 03:37 . 2010-02-25 03:43 -------- d-----w- c:\program files\MSECACHE
2010-02-25 03:15 . 2010-02-25 03:15 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-24 00:18 . 2007-08-31 19:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-24 00:17 . 2007-08-31 19:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-02-24 00:17 . 2001-08-24 15:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-24 00:17 . 1999-11-22 22:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-02-24 00:17 . 1999-11-22 22:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-02-23 21:25 . 2010-02-23 21:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 21:25 . 2010-02-23 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 20:45 . 2010-02-23 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-23 12:32 . 2010-02-23 12:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-02-23 07:38 . 2010-02-23 07:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2010-02-21 23:35 . 2010-02-21 23:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-02-10 08:34 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 06:41 . 2010-02-10 06:41 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-10 06:40 . 2010-02-23 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 02:45 . 2009-10-06 07:44 -------- d-----w- c:\program files\APGW
2010-03-04 07:01 . 2010-02-03 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-03-04 04:05 . 2010-02-03 18:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2010-02-28 18:33 . 2009-01-12 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-04 00:13 . 2010-02-04 00:13 0 ----a-w- c:\windows\nsreg.dat
2010-02-03 22:09 . 2009-01-12 02:37 22728 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 18:57 . 2010-02-03 18:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2010-02-03 18:25 . 2010-02-03 18:25 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-01-20 21:08 . 2009-01-12 00:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-06 01:04 . 2010-01-06 01:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-05 10:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-08-06 02:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2009-01-11 23:13 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-01-06 01:04 . 2010-02-28 18:34 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7739:TCP"= 7739:TCP:Services
"7989:TCP"= 7989:TCP:Services
"7379:TCP"= 7379:TCP:Services
"9972:TCP"= 9972:TCP:Services
"7332:TCP"= 7332:TCP:Services
"9441:TCP"= 9441:TCP:Services
"8881:TCP"= 8881:TCP:Services

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/4/2010 2:33 AM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/4/2010 2:33 AM 19024]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [2/28/2010 11:34 AM 141792]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/24/2010 8:15 PM 30104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/28/2010 11:33 AM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/10/2010 1:34 AM 88480]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [1/11/2009 6:43 PM 10240]
S2 AVGIDSAgent;AVG9IDSAgent;"c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe" AVGIDSAgent --> c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/24/2010 8:15 PM 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/10/2010 1:34 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/28/2010 11:33 AM 83496]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
BHO-{01E98BDA-2EC6-4E61-BA57-ECE6783951F8} - (no file)
Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82163178]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7754f28
\Driver\ACPI -> ACPI.sys @ 0xf76c7cb8
\Driver\atapi -> 0x82163178
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x81d5d330
PacketIndicateHandler -> NDIS.sys @ 0xf74e8a21
SendHandler -> NDIS.sys @ 0xf74c687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="System32\Drivers\atapi.svs"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,be,3b,e2,4f,64,18,48,a4,f3,d8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5b,be,3b,e2,4f,64,18,48,a4,f3,d8,\

[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (Administrator)
@Allowed: (Read) (Administrator)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1792)
c:\windows\system32\iavlsp.dll

- - - - - - - > 'explorer.exe'(1276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-03-11 17:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-12 00:15

Pre-Run: 27,648,946,176 bytes free
Post-Run: 27,602,481,152 bytes free

- - End Of File - - C39C303CF1395698E457F028C2093632


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 12 March 2010 - 03:01 PM

That looks like you have a TDL3 infection there.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    atapi.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#9 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 March 2010 - 04:15 PM

OK here is that log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:00 on 12/03/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [05:59 04/08/2004] [05:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.svs.vir --a--- 96512 bytes [23:42 11/03/2010] [23:42 11/03/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.svs.vir_ --a--- 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir --a--- 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:05 12/01/2009] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [00:13 12/03/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.svs --a--- 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--c 95360 bytes [23:30 11/01/2009] [10:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 12 March 2010 - 07:51 PM

Hi ericmpoyner,
  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
CODE
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>log.txt&START log.txt
  • Click on the File tab, and select Save.
  • In the box that opens type help.bat for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this )
  • Double click help.bat, a box will pop up briefly on your screen and disappear, this is normal.
  • It will produce a file on your desktop called log.txt, please copy and paste this in your next reply.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"7739:TCP"=-
"7989:TCP"=-
"7379:TCP"=-
"9972:TCP"=-
"7332:TCP"=-
"9441:TCP"=-
"8881:TCP"=-
RegLock::
[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
Regnull::
[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Policies\Microsoft\SystemCertificates\AddressBook*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please post back here with the following logs:
  • log.txt
  • combofix.txt

Thanks

unite.jpg


#11 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 March 2010 - 09:00 PM

Heya,
Had to run combofix in safe mode again because I got that bad_pool_caller error but here are thge logs you requested:

ComboFix 10-03-12.02 - Administrator 03/12/2010 18:25:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.178 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\atapi.svs . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-10 12:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 05:30 . 2010-03-08 05:30 -------- d-----w- c:\documents and settings\HelpAssistant\Application DataComodoGroup
2010-03-08 05:20 . 2010-03-08 05:20 -------- d-----w- c:\documents and settings\Administrator\Application DataComodoGroup
2010-03-08 05:16 . 2010-03-08 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\ComodoGroup
2010-03-08 05:14 . 2010-03-08 05:14 -------- d-----w- c:\program files\COMODO
2010-03-07 07:47 . 2010-03-07 07:52 -------- d-----w- C:\Hjt
2010-03-07 05:18 . 2010-03-07 05:18 -------- d-----w- c:\program files\Trend Micro
2010-03-07 01:19 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 01:19 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 01:19 . 2010-03-07 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SuperAdBlocker.com
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\windows\system32\URTTemp
2010-03-06 20:16 . 2010-03-06 20:16 -------- d-----w- C:\System Volume Data
2010-03-06 18:48 . 2010-03-06 18:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-05 04:48 . 2010-03-12 19:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2010-03-04 21:11 . 2010-03-04 21:11 -------- d-----w- c:\program files\VS Revo Group
2010-03-04 09:33 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-04 09:33 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-04 09:33 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-04 09:33 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-04 09:33 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-04 09:33 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-04 09:33 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-04 09:31 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-04 09:31 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-04 09:25 . 2010-03-04 09:25 -------- d-----w- c:\documents and settings\HelpAssistant\.bh_gui
2010-03-04 09:11 . 2010-03-04 09:14 -------- d-----w- c:\documents and settings\Administrator\.bh_gui
2010-03-04 09:09 . 2010-03-04 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SRI
2010-03-04 07:05 . 2010-03-04 07:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-02 20:42 . 2010-03-02 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2010-03-02 20:41 . 2010-03-02 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-28 19:22 . 2010-03-04 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-28 19:22 . 2010-02-28 19:22 -------- d-----w- c:\program files\Alwil Software
2010-02-28 18:34 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-28 18:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-28 18:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-28 18:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-28 18:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-28 18:33 . 2010-02-28 18:33 -------- d-----w- c:\program files\Common Files\Mcafee
2010-02-25 03:37 . 2010-02-25 03:43 -------- d-----w- c:\program files\MSECACHE
2010-02-25 03:15 . 2010-02-25 03:15 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-24 00:18 . 2007-08-31 19:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-02-24 00:17 . 2007-08-31 19:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-02-24 00:17 . 2001-08-24 15:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-24 00:17 . 1999-11-22 22:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-02-24 00:17 . 1999-11-22 22:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-02-23 21:25 . 2010-02-23 21:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-23 21:25 . 2010-02-23 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 20:45 . 2010-02-23 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-23 12:32 . 2010-02-23 12:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-02-23 07:38 . 2010-02-23 07:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2010-02-21 23:35 . 2010-02-21 23:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 02:45 . 2009-10-06 07:44 -------- d-----w- c:\program files\APGW
2010-03-04 07:01 . 2010-02-03 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-03-04 04:05 . 2010-02-03 18:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2010-02-28 18:33 . 2009-01-12 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-23 12:32 . 2010-02-10 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-10 06:41 . 2010-02-10 06:41 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-04 00:13 . 2010-02-04 00:13 0 ----a-w- c:\windows\nsreg.dat
2010-02-03 22:09 . 2009-01-12 02:37 22728 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 18:57 . 2010-02-03 18:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2010-02-03 18:25 . 2010-02-03 18:25 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-01-20 21:08 . 2009-01-12 00:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-01-06 01:04 . 2010-02-10 08:34 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-01-06 01:04 . 2010-01-06 01:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-08-06 02:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2009-01-11 23:13 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-01-06 01:04 . 2010-02-28 18:34 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6100:TCP"= 6100:TCP:Services
"5133:TCP"= 5133:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/4/2010 2:33 AM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/4/2010 2:33 AM 19024]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [2/28/2010 11:34 AM 141792]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/24/2010 8:15 PM 30104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/28/2010 11:33 AM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/10/2010 1:34 AM 88480]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\pythonservice.exe [1/11/2009 6:43 PM 10240]
S2 AVGIDSAgent;AVG9IDSAgent;"c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe" AVGIDSAgent --> c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/24/2010 8:15 PM 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/10/2010 1:34 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/28/2010 11:33 AM 83496]
.
.
------- Supplementary Scan -------
.
uStart Page = yahoo.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4rsdwrwn.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-12 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82119AE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7754f28
\Driver\ACPI -> ACPI.sys @ 0xf76c7cb8
\Driver\atapi -> 0x82119ae8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x81dc3330
PacketIndicateHandler -> NDIS.sys @ 0xf74e8a21
SendHandler -> NDIS.sys @ 0xf74c687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="System32\Drivers\atapi.svs"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-839522115-920026266-682003330-500\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (Administrator)
@Allowed: (Read) (Administrator)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1816)
c:\windows\system32\iavlsp.dll

- - - - - - - > 'explorer.exe'(1560)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\BCMSMMSG.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-12 18:53:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-13 01:53
ComboFix2.txt 2010-03-12 00:15

Pre-Run: 27,449,655,296 bytes free
Post-Run: 27,320,283,136 bytes free

- - End Of File - - 84AD3EBEAC6351B0F986EDEA3A164A95






User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 3/12/2010 4:01 PM
Password expires Never
Password changeable 3/12/2010 4:01 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/12/2010 4:01 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.



#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 13 March 2010 - 04:22 PM

Hello,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
C:\WINDOWS\system32\drivers\atapi.svs
Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\atapi]
"ImagePath"="C:\Windows\System32\Drivers\atapi.sys"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6100:TCP"=-
"5133:TCP"=-
"3389:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 13 March 2010 - 05:54 PM

Ok had to run in safe mode again. got combofix run. computer rebooted and blue screen at start up even in safe mode.having to reply thru my cell phone lol.how do i get the computer to boot back up? i installed the recovery console just have no idea what command to type to run it.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:13 AM

Posted 14 March 2010 - 12:10 PM

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following bolded text, then press Enter.

cd erdnt\subs

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying, wait for it to finish

Then type EXIT and press Enter to reboot the machine.


Your machine should now load again let me know if it does.

unite.jpg


#15 ericmpoyner

ericmpoyner
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 14 March 2010 - 02:26 PM

Still bluescreen in normal and safe mode. says tech info
STOP 0x0000007b




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users