Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help I'm infected with Trojan.Dropper B.exe


  • This topic is locked This topic is locked
23 replies to this topic

#1 parleycross

parleycross

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2010 - 08:35 PM


Hello,
I would be very grateful if you could help me remove this trojan.
Every time I restart after a while Malwarebytes AntiMalware identifies trojan.dropper b.exe which I then quarantine.

I have done a full scan with Malwarebytes and SuperAntiSpyware and bought a registry cleaner Registry Mechanic but none of them have removed this trojan.
It keeps coming back every time I restart the system.

Thank you for your help....





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-09 10:29:28
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Richard\AppData\Local\Temp\ufldqfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x93F4F08C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcCreatePort [0x93F4F95C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x93F4EAE2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x93F480C2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x93F66A90]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x93F4F5EC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x93F62F54]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x93F6337C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x93F6B354]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x93F4F74A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x93F48F84]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x93F684A6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x93F67D9C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x93F61D92]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadDriver [0x93F41386]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x93F68E70]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x93F690AE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x93F69560]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0x93F6B710]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x93F48A76]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x93F64FAC]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0x93F781F4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x93F6A2F6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x93F6982A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x93F4E67A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x93F69F36]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x93F4EDAE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x93F4938E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0x93F780B8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x93F6A87E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0x93F40A40]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x93F674C0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x93F64078]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x93FB2320]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0x93F417D8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x93F637F0]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3adffcf2
Reg HKLM\SYSTEM\ControlSet015\Services\BTHPORT\Parameters\Keys\001f3adffcf2 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 10 April 2010 - 02:35 PM

Hello parleycross smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





While you attached the Attach.txt log DDS generated I will still need the DDS.txt which it produced. If you can't find it rerun DDS and only post that log.








Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 10 April 2010 - 06:48 PM

Hello,
Thank you very much for your help with this issue.

Here is the DDS log...


DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 9:41:30.82 on Sun 11/04/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.3581.2049 [GMT 10:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\FOXTEL\Download Player\Download Control\DCBin\DCService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\FOXTEL\Download Player\FOXTELDownloadPlayer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Citrix\Secure Access Client\nsload.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Richard\Downloads\dds (1).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer provided by Dell
uStart Page = www.bigpond.com
uDefault_Page_URL = hxxp://www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=6080317
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
uRun: [Google Update] "c:\users\richard\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [FOXTEL Download Player] c:\program files\foxtel\download player\FOXTELDownloadPlayer.exe -minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)" -"http://www.miniclip.com/games/last-christmas-2/en/"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p10 /q c:\users\richard\appdata\local\temp\vbe.sh! c:\users\richard\appdata\local\temp\vbe\msforms.sh! c:\users\richard\appdata\local\temp\hsperf~1.sh! c:\users\richard\appdata\local\temp\e4j3d7~1.sh! c:\users\richard\appdata\local\micros~1\windows\tempor~1\content.ie5\7imk0fw9\thirdp~1.sh! c:\users\richard\appdata\local\micros~1\windows\tempor~1\content.ie5\n57n8p6x\browse~1.sh! c:\users\richard\appdata\local\micros~1\windows\tempor~1\content.ie5\gpfny4mh\web_1_~1.sh! c:\users\richard\appdata\local\micros~1\windows\tempor~1\content.ie5\hm6vhgbq\time_1~1.sh! c:\users\richard\appdata\local\micros~1\windows\tempor~1\content.ie5\hm6vhgbq\SUMMAR~1.SH!
StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: afl.com.au\www
Trusted Zone: bankwest.com.au
Trusted Zone: bigpond.com
Trusted Zone: bigpondmovies.com
Trusted Zone: bigpondmovies.com\downloads
Trusted Zone: bigpondmusic.com
Trusted Zone: bigpondtv.com
Trusted Zone: bigpondvideo.com
Trusted Zone: custhelp.com\bigpond
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mytalk.com.au
Trusted Zone: nab.com.au
Trusted Zone: telstra.com
Trusted Zone: testra.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-12-14 40560]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-17 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-3-17 73728]
R2 Foxtel;Foxtel Download Manager;c:\program files\foxtel\download player\download control\dcbin\DCService.exe [2009-9-24 70144]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-6-29 303952]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2008-8-31 135168]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-4-6 632792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-9-25 20824]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2008-8-31 48280]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-12 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-10 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-17 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-17 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-17 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-17 40552]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-3-17 209408]

=============== Created Last 30 ================

2010-04-08 09:06:30 0 d-s---w- C:\ComboFix
2010-04-08 08:45:23 602087183 ----a-w- c:\windows\MEMORY.DMP
2010-04-08 08:37:55 98816 ----a-w- c:\windows\sed.exe
2010-04-08 08:37:55 77312 ----a-w- c:\windows\MBR.exe
2010-04-08 08:37:55 261632 ----a-w- c:\windows\PEV.exe
2010-04-08 08:37:55 161792 ----a-w- c:\windows\SWREG.exe
2010-04-06 04:57:55 65536 --sha-w- c:\users\richard\ntuser.dat{61dc5113-4136-11df-8de3-001d093ec31b}.TM.blf
2010-04-06 04:57:55 524288 --sha-w- c:\users\richard\ntuser.dat{61dc5113-4136-11df-8de3-001d093ec31b}.TMContainer00000000000000000002.regtrans-ms
2010-04-06 04:57:55 524288 --sha-w- c:\users\richard\ntuser.dat{61dc5113-4136-11df-8de3-001d093ec31b}.TMContainer00000000000000000001.regtrans-ms
2010-04-06 04:53:36 0 d-----w- c:\users\richard\appdata\roaming\Registry Mechanic
2010-04-06 04:53:32 262144 ---ha-w- c:\users\richard\S-1-5-21-187987470-1669704743-4050635547-1000.rrr.LOG1
2010-04-06 04:53:32 0 ---ha-w- c:\users\richard\S-1-5-21-187987470-1669704743-4050635547-1000.rrr.LOG2
2010-04-06 04:42:57 0 d-----w- C:\My Music
2010-04-06 01:29:47 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-04-06 01:29:47 506368 ----a-w- c:\windows\system32\msxml.dll
2010-04-06 01:29:47 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-04-06 01:29:47 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-04-06 01:29:46 0 d-----w- c:\program files\common files\PC Tools
2010-04-05 23:42:11 0 d-sh--w- C:\found.001
2010-04-05 05:19:09 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-04 12:54:06 0 d-----w- c:\windows\pss
2010-04-04 05:28:44 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-04 05:28:28 0 d-----w- c:\users\richard\appdata\roaming\SUPERAntiSpyware.com
2010-04-04 05:28:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-04 05:27:01 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-03 05:45:25 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-03 05:45:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-03 05:19:52 65536 --sha-w- c:\users\richard\ntuser.dat{782c6cc4-3eb5-11df-a4c5-001d093ec31b}.TM.blf
2010-04-03 05:19:52 524288 --sha-w- c:\users\richard\ntuser.dat{782c6cc4-3eb5-11df-a4c5-001d093ec31b}.TMContainer00000000000000000002.regtrans-ms
2010-04-03 05:19:52 524288 --sha-w- c:\users\richard\ntuser.dat{782c6cc4-3eb5-11df-a4c5-001d093ec31b}.TMContainer00000000000000000001.regtrans-ms
2010-04-03 00:01:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-04-03 00:01:30 30720 ----a-w- c:\windows\system32\httpapi(234).dll
2010-04-02 09:54:27 1985536 ----a-w- c:\windows\system32\iertutil(240).dll
2010-04-02 09:54:26 916480 ----a-w- c:\windows\system32\wininet.dll
2010-04-02 09:54:26 916480 ----a-w- c:\windows\system32\wininet(263).dll
2010-04-02 09:54:26 1209344 ----a-w- c:\windows\system32\urlmon(262).dll

==================== Find3M ====================

2010-04-08 02:41:14 246550 ----a-w- c:\programdata\nvModes.dat
2010-04-05 04:54:54 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-05 04:54:54 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-05 04:54:54 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-04 09:11:01 3870 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-29 13:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 13:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-12 22:36:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 11:19:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-04-11 23:28:02 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-03-17 04:26:54 74 --sha-r- c:\windows\CT4CET.bin
2009-09-05 22:09:05 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 10:51:34 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-04-15 08:16:40 88 --sh--r- c:\windows\system32\0010A7F072.sys
2008-04-08 09:47:23 56 --sh--r- c:\windows\system32\72F0A71000.sys
2008-04-08 10:00:19 8 --sh--r- c:\windows\system32\BAE38D44DA.sys
2008-03-17 12:04:03 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:43:50.99 ===============


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 10 April 2010 - 10:59 PM

You're welcome.


Your log shows you have run ComboFix. I will need the log it generated. You can find it at C:/ComboFix.txt.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 11 April 2010 - 07:19 PM

I have been trying to run Combofix but have not been able to get it to complete successfully.
My computer has been crashing during Combofix with Blue Screen of Death and rebooting.

This morning my computer would not start so I think ComboFix has corrupted something badly.

I'm trying to recover my PC at the moment.

Is Combofix distructive? It seems to corrupted my system so it won't boot.
Are you able to suggest a process to remove my original trojan that doesn't involve Combofix ?

Thanks.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 11 April 2010 - 08:42 PM

I didn't ask you to run CF again. I said it appeared from your log you had already ran it and I needed the log it generated. ComboFix is not destructive, but whatever is already on your machine can be. That is what is causing all the issues you are having.

ComboFix would have generated a log if you ran it before making your post. It will be located at C:/ComboFix.txt
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 12 April 2010 - 12:25 AM

I don't have that file created on my computer as Combofix had not completed successfully.
It seemed to hang at some point and then crash and restart my computer.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 12 April 2010 - 11:16 AM

Try running the following:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 12 April 2010 - 04:04 PM

Hi,
Here is the result of the log. I don't think it found the problem

06:58:26:429 3252 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
06:58:26:429 3252 ================================================================================
06:58:26:430 3252 SystemInfo:

06:58:26:430 3252 OS Version: 6.0.6002 ServicePack: 2.0
06:58:26:430 3252 Product type: Workstation
06:58:26:430 3252 ComputerName: RICHARD-PC
06:58:26:430 3252 UserName: Richard
06:58:26:430 3252 Windows directory: C:\Windows
06:58:26:430 3252 Processor architecture: Intel x86
06:58:26:430 3252 Number of processors: 2
06:58:26:430 3252 Page size: 0x1000
06:58:26:437 3252 Boot type: Normal boot
06:58:26:437 3252 ================================================================================
06:58:30:206 3252 UnloadDriverW: NtUnloadDriver error 2
06:58:30:206 3252 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
06:58:30:480 3252 wfopen_ex: Trying to open file C:\Windows\system32\config\system
06:58:30:480 3252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:58:30:481 3252 wfopen_ex: Trying to KLMD file open
06:58:30:481 3252 wfopen_ex: File opened ok (Flags 2)
06:58:30:503 3252 wfopen_ex: Trying to open file C:\Windows\system32\config\software
06:58:30:503 3252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:58:30:503 3252 wfopen_ex: Trying to KLMD file open
06:58:30:503 3252 wfopen_ex: File opened ok (Flags 2)
06:58:30:503 3252 Initialize success
06:58:30:503 3252
06:58:30:504 3252 Scanning Services ...
06:58:31:819 3252 Raw services enum returned 485 services
06:58:31:844 3252
06:58:31:844 3252 Scanning Kernel memory ...
06:58:31:845 3252 Devices to scan: 1
06:58:31:845 3252
06:58:31:845 3252 Driver Name: iaStor
06:58:31:845 3252 IRP_MJ_CREATE : 832E9818
06:58:31:845 3252 IRP_MJ_CREATE_NAMED_PIPE : 82C44A22
06:58:31:845 3252 IRP_MJ_CLOSE : 832E9818
06:58:31:845 3252 IRP_MJ_READ : 82C44A22
06:58:31:845 3252 IRP_MJ_WRITE : 82C44A22
06:58:31:845 3252 IRP_MJ_QUERY_INFORMATION : 82C44A22
06:58:31:845 3252 IRP_MJ_SET_INFORMATION : 82C44A22
06:58:31:845 3252 IRP_MJ_QUERY_EA : 82C44A22
06:58:31:845 3252 IRP_MJ_SET_EA : 82C44A22
06:58:31:845 3252 IRP_MJ_FLUSH_BUFFERS : 82C44A22
06:58:31:845 3252 IRP_MJ_QUERY_VOLUME_INFORMATION : 82C44A22
06:58:31:845 3252 IRP_MJ_SET_VOLUME_INFORMATION : 82C44A22
06:58:31:845 3252 IRP_MJ_DIRECTORY_CONTROL : 82C44A22
06:58:31:845 3252 IRP_MJ_FILE_SYSTEM_CONTROL : 82C44A22
06:58:31:845 3252 IRP_MJ_DEVICE_CONTROL : 832E7132
06:58:31:845 3252 IRP_MJ_INTERNAL_DEVICE_CONTROL : 832E4918
06:58:31:845 3252 IRP_MJ_SHUTDOWN : 82C44A22
06:58:31:845 3252 IRP_MJ_LOCK_CONTROL : 82C44A22
06:58:31:845 3252 IRP_MJ_CLEANUP : 82C44A22
06:58:31:846 3252 IRP_MJ_CREATE_MAILSLOT : 82C44A22
06:58:31:846 3252 IRP_MJ_QUERY_SECURITY : 82C44A22
06:58:31:846 3252 IRP_MJ_SET_SECURITY : 82C44A22
06:58:31:846 3252 IRP_MJ_POWER : 832E0AB4
06:58:31:846 3252 IRP_MJ_SYSTEM_CONTROL : 832E007C
06:58:31:846 3252 IRP_MJ_DEVICE_CHANGE : 82C44A22
06:58:31:846 3252 IRP_MJ_QUERY_QUOTA : 82C44A22
06:58:31:846 3252 IRP_MJ_SET_QUOTA : 82C44A22
06:58:31:872 3252 C:\Windows\system32\drivers\iastor.sys - Verdict: 1
06:58:31:872 3252
06:58:31:872 3252 Completed
06:58:31:873 3252
06:58:31:873 3252 Results:
06:58:31:874 3252 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
06:58:31:874 3252 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
06:58:31:875 3252 File objects infected / cured / cured on reboot: 0 / 0 / 0
06:58:31:875 3252
06:58:31:875 3252 fclose_ex: Trying to close file C:\Windows\system32\config\system
06:58:31:876 3252 fclose_ex: Trying to close file C:\Windows\system32\config\software
06:58:31:880 3252 KLMD(ARK) unloaded successfully




I had to restore my system from an earlier backup due to issues I had after ComboFix. Let me know if you want me to try ComboFix again?
Malwarebytes did just find the b.exe trojan again so I still have it trying to start.




#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 12 April 2010 - 04:23 PM

No, that didn't show anything. Let' delete the version of ComboFix you have on your machine, then download it again from the link below. Make sure your antivirus and any other program such as Windows Defender or TeaTimer is disabled before doing so. Also download and run RKill first.



RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.






Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 13 April 2010 - 10:20 PM

Hi,
I did run RKILL successfully, I'll post the log later when I get a chance (Im at work now).

I cannot get Combofix to run successfully.
It gets to the point where it displays the screen saying it should take around 10 minutes to complete, but then it hangs on that screen indefinaetly.
I cancelled it after about an hour and a half still on that screen.

I'm sure it was just looping or stuck for some reason.
I have never been able to get it to finish and produce a log. It alwasy stops at the screen saying it should take about 10 minutes.

Any other ideas....

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 13 April 2010 - 10:48 PM

Try the following:

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 14 April 2010 - 05:32 PM

I tried the EST OnlineScan.
It ran successfully but did not find any viruses.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:18 PM

Posted 14 April 2010 - 05:51 PM

Give ComboFix a try in Safe Mode. See if it will run from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 parleycross

parleycross
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 17 April 2010 - 08:59 PM

Tried Combofix in safe mode.
Again it hangs and won't complete.
I cancelled after a few hours





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users