Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Generic & Vundo Removal Help


  • This topic is locked This topic is locked
28 replies to this topic

#16 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 14 April 2010 - 12:36 PM

That's no problem, it was just messing up the format of the logs a bit. Don't worry about the multiple processes for the
moment it is malware that is causing it, it will stop once you are clean.


We need to replace a file using the recovery console.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
CMD /K COPY C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys C:\kbdclass.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.
Reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

COPY C:\kbdclass.sys C:\windows\system32\drivers\kbdclass.sys

It will then ask if you want to overwrite kbdclass.sys, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

Edited by syler, 16 April 2010 - 07:21 AM.

unite.jpg


BC AdBot (Login to Remove)

 


#17 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 15 April 2010 - 01:51 PM

It asked me if I wanted to overwrite kbdclass.sys instead of iastor.sys, but I assume you meant kbdclass.sys, right? Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK


#18 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 16 April 2010 - 07:24 AM

Yep that was just a silly mistake by me, it looks like everything went good, can you tell me how the computer is running now
and if you are still having any problems.

Please run combofix again and post the new log, thanks.

unite.jpg


#19 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 16 April 2010 - 12:48 PM

The computer still runs pretty slow for a few minutes after start up, and the fake XP Security Center virus scanning program is still alive. I still sometimes get pop-ups and FireFox has even started creating a new tab at random that loads an advertisement page. Also, after the computer has been on for a while I sometimes get a pop-up balloon in the bottom right corner of the screen saying "Windows Delayed Write Failed." However, I've had this issue a few times in the past and it may just be a hardware problem and not a virus-related thing, though I thought I fixed it once already... anyway, here is the new ComboFix log:

ComboFix 10-04-15.04 - Billy 04/16/2010 9:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1560 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
c:\program files\McAfee\Common Framework\udaterui.exe
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- C:\kbdclass.sys
2010-04-13 03:12 . 2010-04-13 03:12 -------- d-----w- c:\documents and settings\Billy\.realobjects
2010-04-12 21:53 . 2010-04-12 21:53 71170 ----a-w- c:\documents and settings\All Users\Application Data\bxBM50yb.exe
2010-04-12 15:36 . 2010-04-12 15:36 -------- d-----w- c:\program files\ESET
2010-04-12 15:25 . 2010-04-12 15:37 185856 --sha-w- c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll
2010-04-12 15:25 . 2010-04-12 15:25 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 15:25 . 2010-04-12 15:25 61440 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-sse.dll
2010-04-12 15:25 . 2010-04-12 15:25 503808 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcp71.dll
2010-04-12 15:25 . 2010-04-12 15:25 499712 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\jmc.dll
2010-04-12 15:25 . 2010-04-12 15:25 348160 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcr71.dll
2010-04-12 15:25 . 2010-04-12 15:25 12800 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-d3d.dll
2010-04-11 01:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-10 18:51 . 2010-04-10 18:51 -------- d-----w- c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48 -------- d-----w- C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41 -------- d-----w- C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11 525824 ----a-w- c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-16 05:01 -------- d-----w- c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-16 05:03 21116611 ----a-w- c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29 -------- d--h--r- c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17 -------- d-----w- C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23 -------- d-----w- C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32 2808907 ----a-w- c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38 -------- d-----w- c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41 -------- d-----w- c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40 5277219 ----a-w- c:\program files\SopCast-328.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 13:22 . 2010-04-12 21:53 112 ----a-w- c:\documents and settings\All Users\Application Data\oxQn0y7.dat
2010-04-16 04:52 . 2010-04-13 00:00 77832 ----a-w- c:\windows\Fonts\7IMIPX2.com_
2010-04-14 23:03 . 2009-12-19 02:23 -------- d-----w- c:\program files\QuickTime
2010-04-14 05:38 . 2009-12-21 03:34 -------- d-----w- c:\documents and settings\Billy\Application Data\vlc
2010-04-12 21:51 . 2009-12-19 02:23 -------- d-----w- c:\program files\iTunes
2010-04-12 15:25 . 2009-12-19 17:07 -------- d-----w- c:\program files\Java
2010-04-05 04:26 . 2010-04-05 04:26 14549 ----a-w- c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26 16145 ----a-w- c:\program files\DDS.txt
2010-04-03 00:24 . 2009-12-20 02:54 -------- d-----w- c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24 -------- d-----w- c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01 -------- d-----w- c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00 -------- d-----w- c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----r- c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59 2020136 ----a-w- c:\program files\SkypeSetup.exe
2010-02-24 13:11 . 2005-01-19 04:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-02 00:57 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-02 00:34 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 19:08 . 2009-12-17 03:55 -------- d-----w- c:\documents and settings\Billy\Application Data\Apple Computer
2010-02-15 18:47 . 2010-02-15 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-15 18:14 . 2010-02-15 18:14 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-15 18:14 . 2010-02-15 18:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-15 18:14 . 2010-02-15 18:14 -------- d-----w- c:\program files\Symantec
2010-02-15 18:14 . 2010-02-15 18:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-15 18:14 . 2010-02-15 18:14 36272 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-15 18:13 . 2010-02-15 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 03:23 . 2010-02-01 03:23 14892016 ----a-w- c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19 69616 ----a-w- c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42 1839496 ----a-w- c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.
CODE
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\SHSTAT .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [N/A]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [N/A]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-04-12 41476]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP
"3838:TCP"= 3838:TCP:kjggb

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 09:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-16 09:37:23
ComboFix-quarantined-files.txt 2010-04-16 13:37
ComboFix2.txt 2010-04-11 22:17
ComboFix3.txt 2010-04-11 01:43

Pre-Run: 109,854,859,264 bytes free
Post-Run: 109,860,089,856 bytes free

- - End Of File - - 4FD2AC9C5E7BD6AA2665B564CD85EBC4

#20 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 16 April 2010 - 02:04 PM

You still have a bit of malware there, lets clean it out and you notice some improvement.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/307260/trojan-generic-vundo-removal-help/

RenV::
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\SHSTAT .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask .exe
Collect::
c:\documents and settings\All Users\Application Data\bxBM50yb.exe
c:\documents and settings\All Users\Application Data\oxQn0y7.dat
c:\windows\Fonts\7IMIPX2.com_
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3838:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • Combofix.txt
  • ESET report

Thanks

unite.jpg


#21 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 17 April 2010 - 03:32 PM

Hey! Sorry for kind of a late reply, but here is the latest ComboFix log:

ComboFix 10-04-15.05 - Billy 04/17/2010 12:12:09.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1575 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

file zipped: c:\documents and settings\All Users\Application Data\bxBM50yb.exe
file zipped: c:\documents and settings\All Users\Application Data\oxQn0y7.dat
file zipped: c:\windows\Fonts\7IMIPX2.com_
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\bxBM50yb.exe
c:\documents and settings\All Users\Application Data\oxQn0y7.dat
c:\windows\Fonts\7IMIPX2.com_

.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- C:\kbdclass.sys
2010-04-13 03:12 . 2010-04-13 03:12 -------- d-----w- c:\documents and settings\Billy\.realobjects
2010-04-12 15:36 . 2010-04-12 15:36 -------- d-----w- c:\program files\ESET
2010-04-12 15:25 . 2010-04-12 15:37 185856 --sha-w- c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll
2010-04-12 15:25 . 2010-04-12 15:25 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 15:25 . 2010-04-12 15:25 61440 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-sse.dll
2010-04-12 15:25 . 2010-04-12 15:25 503808 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcp71.dll
2010-04-12 15:25 . 2010-04-12 15:25 499712 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\jmc.dll
2010-04-12 15:25 . 2010-04-12 15:25 348160 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcr71.dll
2010-04-12 15:25 . 2010-04-12 15:25 12800 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-d3d.dll
2010-04-11 01:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-10 18:51 . 2010-04-10 18:51 -------- d-----w- c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48 -------- d-----w- C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41 -------- d-----w- C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11 525824 ----a-w- c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-16 05:01 -------- d-----w- c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-16 05:03 21116611 ----a-w- c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29 -------- d--h--r- c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17 -------- d-----w- C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23 -------- d-----w- C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32 2808907 ----a-w- c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38 -------- d-----w- c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41 -------- d-----w- c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40 5277219 ----a-w- c:\program files\SopCast-328.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 16:12 . 2009-12-19 02:23 -------- d-----w- c:\program files\QuickTime
2010-04-17 16:12 . 2009-12-19 02:23 -------- d-----w- c:\program files\iTunes
2010-04-14 05:38 . 2009-12-21 03:34 -------- d-----w- c:\documents and settings\Billy\Application Data\vlc
2010-04-12 15:25 . 2009-12-19 17:07 -------- d-----w- c:\program files\Java
2010-04-05 04:26 . 2010-04-05 04:26 14549 ----a-w- c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26 16145 ----a-w- c:\program files\DDS.txt
2010-04-03 00:24 . 2009-12-20 02:54 -------- d-----w- c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24 -------- d-----w- c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01 -------- d-----w- c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00 -------- d-----w- c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----r- c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59 2020136 ----a-w- c:\program files\SkypeSetup.exe
2010-02-24 13:11 . 2005-01-19 04:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-02 00:57 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-02 00:34 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 18:14 . 2010-02-15 18:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14 36272 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 03:23 . 2010-02-01 03:23 14892016 ----a-w- c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19 69616 ----a-w- c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42 1839496 ----a-w- c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_13.36.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 16:00 . 2010-04-17 16:00 16384 c:\windows\Temp\Perflib_Perfdata_398.dat
+ 2010-04-16 21:32 . 2010-04-16 21:32 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
- 2010-03-29 15:15 . 2010-03-29 15:15 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 12:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-17 12:17:06
ComboFix-quarantined-files.txt 2010-04-17 16:17
ComboFix2.txt 2010-04-16 13:37
ComboFix3.txt 2010-04-11 22:17
ComboFix4.txt 2010-04-11 01:43

Pre-Run: 109,884,436,480 bytes free
Post-Run: 109,845,467,136 bytes free

- - End Of File - - 367C538A2E47A155E7E06513F9F4DBC6
Upload was successful

And here is the ESET log:

C:\Program Files\QuickTime\qttask.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-04-17_12.12.04.zip a variant of Win32/Kryptik.DPG trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DSA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\McAfee\Common Framework\udaterui.exe.vir a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Microsoft Office\Office12\GrooveMonitor.exe.vir a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\lamisefi.dll.vir a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\lefopase.dll.vir a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\sapahore.dll.vir a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwifezi.dll.vir a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\yohabinu.dll.vir a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP76\A0031340.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP76\A0031341.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP76\A0031343.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP76\A0031344.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP76\A0031345.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033073.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033074.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033075.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033076.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033077.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033078.dll a variant of Win32/Kryptik.DNI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP79\A0033090.EXE a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP81\A0035160.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP81\A0035161.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP82\A0035176.exe a variant of Win32/Kryptik.DSA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP85\A0035410.exe a variant of Win32/Kryptik.DSA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP85\A0035411.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP85\A0035412.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP85\A0036281.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP86\A0036525.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP86\A0036526.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP86\A0036531.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP86\A0036532.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{70C58AF5-D2F3-4C33-8C2A-89B8BFB15F0F}\RP86\A0036669.exe a variant of Win32/Kryptik.DPG trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\04102010_014809\C_WINDOWS\system32\reposoku.dll a variant of Win32/Kryptik.DSI trojan cleaned by deleting - quarantined

Thanks again!

#22 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 18 April 2010 - 04:55 AM

Can you tell me how the computer is running now and if you are still having any problems?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • combofix.txt
  • mbam log

Thanks

unite.jpg


#23 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 18 April 2010 - 01:07 PM

Hey there! MBAM finally works now haha, so here are the logs. ComboFix.txt:

ComboFix 10-04-17.07 - Billy 04/18/2010 13:21:20.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1337 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- C:\kbdclass.sys
2010-04-13 03:12 . 2010-04-13 03:12 -------- d-----w- c:\documents and settings\Billy\.realobjects
2010-04-12 15:36 . 2010-04-12 15:36 -------- d-----w- c:\program files\ESET
2010-04-12 15:25 . 2010-04-12 15:37 185856 --sha-w- c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll
2010-04-12 15:25 . 2010-04-12 15:25 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 15:25 . 2010-04-12 15:25 61440 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-sse.dll
2010-04-12 15:25 . 2010-04-12 15:25 503808 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcp71.dll
2010-04-12 15:25 . 2010-04-12 15:25 499712 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\jmc.dll
2010-04-12 15:25 . 2010-04-12 15:25 348160 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcr71.dll
2010-04-12 15:25 . 2010-04-12 15:25 12800 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-d3d.dll
2010-04-11 01:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-10 18:51 . 2010-04-10 18:51 -------- d-----w- c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48 -------- d-----w- C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41 -------- d-----w- C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11 525824 ----a-w- c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-16 05:01 -------- d-----w- c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-16 05:03 21116611 ----a-w- c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29 -------- d--h--r- c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17 -------- d-----w- C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23 -------- d-----w- C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32 2808907 ----a-w- c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38 -------- d-----w- c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41 -------- d-----w- c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40 5277219 ----a-w- c:\program files\SopCast-328.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 07:29 . 2009-12-21 03:34 -------- d-----w- c:\documents and settings\Billy\Application Data\vlc
2010-04-17 18:14 . 2009-12-19 02:23 -------- d-----w- c:\program files\QuickTime
2010-04-17 16:12 . 2009-12-19 02:23 -------- d-----w- c:\program files\iTunes
2010-04-12 15:25 . 2009-12-19 17:07 -------- d-----w- c:\program files\Java
2010-04-05 04:26 . 2010-04-05 04:26 14549 ----a-w- c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26 16145 ----a-w- c:\program files\DDS.txt
2010-04-04 01:20 . 2009-12-17 03:55 -------- d-----w- c:\documents and settings\Billy\Application Data\LimeWire
2010-04-04 01:10 . 2010-02-03 19:27 -------- d-----w- c:\program files\Incomplete
2010-04-04 01:10 . 2010-02-03 19:25 -------- d-----w- c:\program files\LimeWire
2010-04-03 00:24 . 2009-12-20 02:54 -------- d-----w- c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24 -------- d-----w- c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01 -------- d-----w- c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00 -------- d-----w- c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----r- c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59 2020136 ----a-w- c:\program files\SkypeSetup.exe
2010-02-24 13:11 . 2005-01-19 04:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-02 00:57 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-02 00:34 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 18:14 . 2010-02-15 18:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14 36272 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 03:23 . 2010-02-01 03:23 14892016 ----a-w- c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19 69616 ----a-w- c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42 1839496 ----a-w- c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_13.36.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-18 17:07 . 2010-04-18 17:07 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
+ 2010-04-16 21:32 . 2010-04-16 21:32 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
- 2010-03-29 15:15 . 2010-03-29 15:15 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 13:26:07
ComboFix-quarantined-files.txt 2010-04-18 17:26
ComboFix2.txt 2010-04-17 16:36
ComboFix3.txt 2010-04-16 13:37
ComboFix4.txt 2010-04-11 22:17
ComboFix5.txt 2010-04-18 17:20

Pre-Run: 109,617,913,856 bytes free
Post-Run: 110,164,926,464 bytes free

- - End Of File - - 3708065BE99FACC0EB94ED18DAFEEA9D

mbam-log-2010-04-18.txt:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2010 2:03:33 PM
mbam-log-2010-04-18 (14-03-33).txt

Scan type: Quick scan
Objects scanned: 101495
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Billy\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Things seem to be running smoother already, too!

#24 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 19 April 2010 - 12:22 PM

Hello,

Just one last file to be removed then we should be done.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/307260/trojan-generic-vundo-removal-help/

Collect::
c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#25 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 19 April 2010 - 09:07 PM

Awesome! Well here's the latest ComboFix log:

ComboFix 10-04-18.04 - Billy 04/19/2010 21:38:29.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -4:00]
Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

file zipped: c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Billy\Local Settings\Application Data\1154381033.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-04-15 18:31 . 2008-04-13 18:39 24576 ----a-w- C:\kbdclass.sys
2010-04-13 03:12 . 2010-04-13 03:12 -------- d-----w- c:\documents and settings\Billy\.realobjects
2010-04-12 15:36 . 2010-04-12 15:36 -------- d-----w- c:\program files\ESET
2010-04-12 15:25 . 2010-04-12 15:25 -------- d-----w- c:\program files\Common Files\Java
2010-04-12 15:25 . 2010-04-12 15:25 61440 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-sse.dll
2010-04-12 15:25 . 2010-04-12 15:25 503808 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcp71.dll
2010-04-12 15:25 . 2010-04-12 15:25 499712 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\jmc.dll
2010-04-12 15:25 . 2010-04-12 15:25 348160 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7fa3d79a-n\msvcr71.dll
2010-04-12 15:25 . 2010-04-12 15:25 12800 ----a-w- c:\documents and settings\Billy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6dd4e21b-n\decora-d3d.dll
2010-04-11 01:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-10 18:51 . 2010-04-18 17:42 -------- d-----w- c:\program files\Malwarebytes-Anti-Malware
2010-04-10 18:41 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 18:41 . 2010-04-10 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 18:41 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 06:14 . 2010-04-10 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\Malwarebytes
2010-04-10 06:10 . 2010-04-10 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 06:08 . 2010-04-10 06:08 5115824 ----a-w- c:\program files\mbam-setup.exe
2010-04-10 05:48 . 2010-04-10 05:48 -------- d-----w- C:\_OTL
2010-04-05 22:41 . 2010-04-05 22:41 -------- d-----w- C:\spoolerlogs
2010-04-03 18:11 . 2010-04-03 18:11 525824 ----a-w- c:\program files\dds.scr
2010-04-03 01:24 . 2010-04-16 05:01 -------- d-----w- c:\program files\Aspyr
2010-04-03 01:16 . 2010-04-16 05:03 21116611 ----a-w- c:\program files\GH3_PC_1.3_Patch.exe
2010-04-03 00:30 . 2010-04-03 00:30 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Aspyr
2010-04-03 00:29 . 2010-04-03 00:29 -------- d--h--r- c:\documents and settings\Billy\Application Data\SecuROM
2010-04-03 00:29 . 2010-04-03 00:29 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-30 16:17 . 2010-03-30 16:17 -------- d-----w- C:\VundoFix Backups
2010-03-29 15:25 . 2010-04-07 02:23 -------- d-----w- C:\QUARANTINE
2010-03-29 15:15 . 2008-09-29 12:07 64432 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-29 15:15 . 2008-09-29 12:07 90360 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 74648 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-29 15:15 . 2008-09-29 12:07 42424 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-29 15:15 . 2008-09-29 12:07 62704 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-03-29 15:15 . 2008-09-29 12:07 340592 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-03-29 15:15 . 2008-09-29 12:07 67904 ----a-w- c:\windows\system32\mfevtps.exe
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-03-29 15:15 . 2010-03-29 15:15 -------- d-----w- c:\program files\McAfee
2010-03-26 18:32 . 2010-03-26 18:32 2808907 ----a-w- c:\program files\FeedBack0.97b.zip
2010-03-26 18:29 . 2010-03-26 18:38 -------- d-----w- c:\program files\FeedBack0.97b
2010-03-22 01:41 . 2010-03-22 01:41 -------- d-----w- c:\program files\SopCast
2010-03-22 01:40 . 2010-03-22 01:40 5277219 ----a-w- c:\program files\SopCast-328.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 07:29 . 2009-12-21 03:34 -------- d-----w- c:\documents and settings\Billy\Application Data\vlc
2010-04-17 18:14 . 2009-12-19 02:23 -------- d-----w- c:\program files\QuickTime
2010-04-17 16:12 . 2009-12-19 02:23 -------- d-----w- c:\program files\iTunes
2010-04-12 15:25 . 2009-12-19 17:07 -------- d-----w- c:\program files\Java
2010-04-05 04:26 . 2010-04-05 04:26 14549 ----a-w- c:\program files\Attach.txt
2010-04-05 04:26 . 2010-04-05 04:26 16145 ----a-w- c:\program files\DDS.txt
2010-04-03 00:24 . 2009-12-20 02:54 -------- d-----w- c:\program files\BitComet
2010-03-30 18:43 . 2009-12-19 02:24 -------- d-----w- c:\program files\iPod
2010-03-29 15:15 . 2010-02-12 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-29 15:15 . 2010-02-12 19:20 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-29 05:06 . 2010-02-25 06:01 -------- d-----w- c:\documents and settings\Billy\Application Data\Skype
2010-03-29 03:37 . 2010-02-25 06:14 -------- d-----w- c:\documents and settings\Billy\Application Data\skypePM
2010-02-25 06:14 . 2010-02-25 06:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:01 . 2010-02-25 06:00 -------- d-----w- c:\program files\Google
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----r- c:\program files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 06:00 . 2010-02-25 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-25 05:59 . 2010-02-25 05:59 2020136 ----a-w- c:\program files\SkypeSetup.exe
2010-02-24 13:11 . 2005-01-19 04:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-02 00:57 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-02 00:34 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 18:14 . 2010-02-15 18:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-15 18:14 . 2010-02-15 18:14 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-15 18:14 . 2010-02-15 18:14 36272 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 03:23 . 2010-02-01 03:23 14892016 ----a-w- c:\program files\ManyCam.exe
2010-01-26 02:18 . 2009-12-21 05:19 69616 ----a-w- c:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 01:42 . 2009-12-23 01:42 1839496 ----a-w- c:\program files\HousecallLauncher.exe
2009-12-21 03:30 . 2009-12-21 03:28 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_13.36.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 01:30 . 2010-04-20 01:30 16384 c:\windows\Temp\Perflib_Perfdata_658.dat
+ 2010-04-16 21:32 . 2010-04-16 21:32 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
- 2010-03-29 15:15 . 2010-03-29 15:15 10134 c:\windows\Installer\{A638557B-1F13-40A0-9627-C892FBCA6960}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Billy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 08:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\billydakid014\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Midtown Madness 2\\Midtown2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13727:TCP"= 13727:TCP:BitComet 13727 TCP
"13727:UDP"= 13727:UDP:BitComet 13727 UDP

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/16/2009 10:56 PM 13696]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/29/2010 11:15 AM 67904]
S2 gupdate1cab5dfdcb64e30;Google Update Service (gupdate1cab5dfdcb64e30);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2010 2:00 AM 133104]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/29/2010 11:15 AM 64432]
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 06:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Billy\Application Data\Mozilla\Firefox\Profiles\3m0z23rm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-19 21:58:04
ComboFix-quarantined-files.txt 2010-04-20 01:58
ComboFix2.txt 2010-04-18 17:26
ComboFix3.txt 2010-04-17 16:36
ComboFix4.txt 2010-04-16 13:37
ComboFix5.txt 2010-04-20 01:36

Pre-Run: 110,094,282,752 bytes free
Post-Run: 110,048,419,840 bytes free

- - End Of File - - 69B621F6D04DA5CB698373ABCBEF56C6
Upload was successful

It is worth noting though that while ComboFix was doing stuff about a dozen different error messages popped up saying "Windows Delayed Write Failed" for a couple of locations in the registry as well as other places on my E:\ drive, which I don't use anymore but still have plugged in. I'm not sure if that may have stopped it from fully removing the last of the bad stuff but I thought I'd mention it. So am I officially clean now? smile.gif

Edited by WildBill4, 19 April 2010 - 09:08 PM.


#26 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 20 April 2010 - 12:48 PM

Everything appears to have gone ok and your logs look fine to me now thumbup2.gif


Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremely important to keep windows up to date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Calendar of Updates or you can install Secunia PSI.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer
is susceptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does
not block outbound connections. So if Malware manages to get onto your computer it will be able to send data out when
it wants. Here are some free firewalls, you only need to install one of these.

Zone Alarm
Outpost
PC Tools

After you install the third party firewall disable your Windows firewall. Go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install an AntiSpyware Program
It is recommended that you have an Anti Spyware program installed alongside your Ani Virus, to add an extra layer of
protection. You should update and scan with it as you would with your Anti Virus, Most Anti Spyware programs don't
have active protection, unless you have a paid version, so in that case you can have more than one installed for
scanning purposes but you also don't want to bloat your computer with these programs, so I would recommend having
no more than two installed.

SuperAntiSpyware
Spybot - Search & Destroy
Ad-aware

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically mean that,
what you are doing will not make a permenant changes to your system, unless you allow it too. So you can be surfing
the web inside Sandboxie then if you happen to stumble upon a bad site and get infected, you can simply delete the
Sanbox and all is gone. Having said that, it can not be considered 100% secure as no program can be, but it can be
a great help and is an excellent program. You can find a download link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install Firefox and
install some addons that will make the browser even safer. You can download the latest version of Firefox here, if
you already have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#27 WildBill4

WildBill4
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 21 April 2010 - 10:46 PM

Awesome! Thank you so much for all of your help, you have been fantastic! Cheers! smile.gif

#28 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 22 April 2010 - 02:46 PM

You're very welcome smile.gif

unite.jpg


#29 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:30 AM

Posted 25 April 2010 - 05:21 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users