Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

torpig virus rootkit activity


  • This topic is locked This topic is locked
21 replies to this topic

#1 Honzer

Honzer

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 07 July 2010 - 12:52 PM

My computer freezes and will not allow me to run multiple applications. Please help
DDS (Ver_10-03-17.01) - NTFSx86
Run by Tatum at 10:16:42.10 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.510 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\ecsxpv_5902_012208\wdm\STacSV.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\Download\{35F8369A-3856-4EB8-82B9-9EA190083EFC}\chrome_updater.exe
C:\WINDOWS\temp\CR_12.tmp\setup.exe
C:\Documents and Settings\Tatum\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tatum\applic~1\mozilla\firefox\profiles\i16elojt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.alot.com/?src_id=11009&client_id=a4f8a4e8046c6f7df8d27562&camp_id=861&install_time=2010-03-02T14:31:21Z&tb_version=2.4.2000%28F%29
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11009&client_id=a4f8a4e8046c6f7df8d27562&camp_id=861&install_time=2010-03-02T14:31:21Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\tatum\application data\mozilla\firefox\profiles\i16elojt.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-22 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-22 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-22 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-22 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-22 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-22 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-22 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-22 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-22 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-6-22 88480]
S2 gupdate1c9e65ed1002332;Google Update Service (gupdate1c9e65ed1002332);c:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\spysweeper.exe" --> c:\program files\webroot\webrootsecurity\SpySweeper.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-6-1 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-6-22 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-22 83496]
S3 Normandy;Normandy SR2; [x]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]

=============== Created Last 30 ================

2010-11-09 05:22:26 3127 ----a-w- c:\windows\system32\presetup.cmd
2010-11-09 05:22:26 28672 ----a-w- c:\windows\system32\setupold.exe
2010-11-09 05:22:26 23040 ----a-w- c:\windows\system32\setup.exe
2010-11-09 05:12:46 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-11-09 05:12:46 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-11-09 05:12:46 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2010-11-09 05:12:45 990208 ----a-w- c:\windows\system32\syssetup.dll
2010-11-09 05:12:45 140288 ----a-w- c:\windows\system32\sfc_os.dll
2010-07-07 15:33:49 0 ----a-w- c:\documents and settings\tatum\defogger_reenable
2010-07-07 05:53:16 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-24 15:45:00 0 d-----w- c:\program files\Trend Micro
2010-06-22 17:15:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2010-06-22 16:37:45 0 d-----w- c:\program files\Citrix
2010-06-22 14:43:54 140288 ----a-w- c:\windows\system32\zfcxx.tmp
2010-06-22 14:43:54 140288 ----a-w- c:\windows\system32\dllcache\zfcxx.tmp
2010-06-22 12:43:18 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-22 12:43:13 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-22 12:43:13 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-22 12:43:13 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-22 12:43:13 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-22 12:43:13 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-22 12:43:13 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-22 12:43:13 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-22 12:43:13 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-22 12:43:13 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-22 12:43:09 0 d-----w- c:\program files\common files\Mcafee
2010-06-22 12:43:08 0 d-----w- c:\program files\McAfee.com
2010-06-22 12:42:54 0 d-----w- c:\program files\McAfee
2010-06-17 19:12:38 0 d-----w- c:\docume~1\tatum\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

==================== Find3M ====================

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-26 21:58:12 256512 ----a-w- c:\windows\PEV.exe
2009-02-17 02:32:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021620090217\index.dat

============= FINISH: 10:18:47.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 10 July 2010 - 06:19 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 13 July 2010 - 02:41 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Honzer

Honzer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 14 July 2010 - 08:53 PM

I am away from the computer...I will run the combofix tool on Friday and post the results. Thank you for the help

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 14 July 2010 - 08:57 PM

See you on the 7/16


busy.gif



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 17 July 2010 - 04:31 AM

busy.gif
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Honzer

Honzer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 18 July 2010 - 08:39 PM

I will upload the file tomorrow.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 18 July 2010 - 10:09 PM

thumbup2.gif
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Honzer

Honzer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 20 July 2010 - 12:13 AM

Attached is the combofix text file

ComboFix 10-07-19.02 - Tatum 07/19/2010 22:55:02.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.555 [GMT -6:00]
Running from: c:\documents and settings\Tatum\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Temp\scsE.tmp

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-11-09 05:22 . 2010-11-09 05:22 3127 ----a-w- c:\windows\system32\presetup.cmd
2010-11-09 05:22 . 2010-11-09 05:22 28672 ----a-w- c:\windows\system32\setupold.exe
2010-11-09 05:22 . 2008-04-13 22:42 23040 ----a-w- c:\windows\system32\setup.exe
2010-11-09 05:12 . 2010-11-09 12:12 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2010-11-09 05:12 . 2010-11-09 05:12 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-11-09 05:12 . 2010-11-09 05:12 218624 ----a-w- c:\windows\system32\uxtheme.dll
2010-11-09 05:12 . 2010-11-09 05:12 140288 ----a-w- c:\windows\system32\sfc_os.dll
2010-11-09 05:12 . 2010-11-09 05:12 990208 ----a-w- c:\windows\system32\syssetup.dll
2010-07-20 04:13 . 2010-07-20 04:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-07-07 17:44 . 2010-07-07 17:44 2944904 ----a-w- c:\documents and settings\Tatum\Application Data\Mozilla\Firefox\Profiles\i16elojt.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-07-07 05:53 . 2010-07-07 05:53 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-24 15:45 . 2010-06-24 15:45 -------- d-----w- c:\program files\Trend Micro
2010-06-22 17:15 . 2010-06-22 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-06-22 16:37 . 2010-06-22 16:37 -------- d-----w- c:\program files\Citrix
2010-06-22 16:37 . 2010-06-22 16:37 -------- d-----w- c:\documents and settings\Tatum\Local Settings\Application Data\Citrix
2010-06-22 12:43 . 2010-04-14 18:50 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-22 12:43 . 2010-04-14 18:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-22 12:43 . 2010-04-14 18:50 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-22 12:43 . 2010-04-14 18:50 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-22 12:43 . 2010-04-14 18:50 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-22 12:43 . 2010-04-14 18:50 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-22 12:43 . 2010-04-14 18:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-22 12:43 . 2010-04-14 18:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-06-22 12:43 . 2010-04-14 18:50 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-22 12:43 . 2010-04-14 18:50 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-22 12:43 . 2010-06-22 13:07 -------- d-----w- c:\program files\Common Files\Mcafee
2010-06-22 12:43 . 2010-06-22 12:43 -------- d-----w- c:\program files\McAfee.com
2010-06-22 12:42 . 2010-06-22 13:08 -------- d-----w- c:\program files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 05:12 . 2010-06-22 14:43 140288 ----a-w- c:\windows\system32\zfcxx.tmp
2010-07-19 23:38 . 2009-06-01 15:16 28801 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-07-08 17:01 . 2009-07-01 03:41 -------- d-----w- c:\program files\Ask.com
2010-07-01 19:12 . 2009-08-26 18:05 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2010-07-01 19:12 . 2009-08-26 18:05 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-01 19:12 . 2009-08-26 18:05 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-01 19:12 . 2009-08-26 18:05 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-01 19:12 . 2009-08-26 18:05 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-01 19:12 . 2009-08-26 18:05 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-01 19:12 . 2009-08-26 18:05 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-01 19:12 . 2009-08-26 18:05 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-01 19:12 . 2009-08-26 18:05 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-01 19:12 . 2009-08-26 18:05 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-01 19:12 . 2009-08-26 18:05 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-07-01 19:12 . 2009-06-01 19:13 1372424 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-06-23 15:55 . 2009-08-06 12:55 -------- d-----w- c:\program files\Coupons
2010-06-22 16:13 . 2009-10-15 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-18 00:08 . 2010-06-18 00:08 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\U3
2010-06-18 00:08 . 2010-06-18 00:08 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Skype
2010-05-28 05:13 . 2010-05-28 05:13 503808 ----a-w- c:\documents and settings\Tatum\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6124eda1-n\msvcp71.dll
2010-05-28 05:13 . 2010-05-28 05:13 499712 ----a-w- c:\documents and settings\Tatum\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6124eda1-n\jmc.dll
2010-05-28 05:13 . 2010-05-28 05:13 348160 ----a-w- c:\documents and settings\Tatum\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6124eda1-n\msvcr71.dll
2010-06-19 19:08 . 2009-06-01 15:13 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-04-14 18:50 . 2010-06-22 12:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

------- Sigcheck -------

[-] 2010-11-09 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-07-07_04.29.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-20 04:53 . 2010-07-20 04:53 16384 c:\windows\temp\Perflib_Perfdata_25c.dat
- 2009-02-17 02:32 . 2010-07-05 22:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-17 02:32 . 2010-07-20 04:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-17 02:32 . 2010-07-20 04:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-17 02:32 . 2010-07-05 22:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-08 16:06 . 2010-07-20 04:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-20 07:01 . 2010-02-20 07:01 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2010-07-08 17:01 . 2010-07-08 17:01 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2010-07-07 15:01 . 2010-07-07 15:01 315392 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-11-17 04:00 . 2009-11-17 04:00 315392 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-11-17 03:52 . 2008-08-07 22:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2010-07-07 05:51 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2010-07-08 17:01 . 2010-07-08 17:01 1904640 c:\windows\Installer\3774ff.msi
+ 2010-07-07 15:01 . 2010-07-07 15:01 6111232 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 21:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-17 442433]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-27 198160]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-06-25 126976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5546:TCP"= 5546:TCP:Services
"9592:TCP"= 9592:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4211:TCP"= 4211:TCP:Services
"6922:TCP"= 6922:TCP:Services
"6039:TCP"= 6039:TCP:Services
"6040:TCP"= 6040:TCP:Services
"5561:TCP"= 5561:TCP:Services
"9622:TCP"= 9622:TCP:Services
"9246:TCP"= 9246:TCP:Services
"9247:TCP"= 9247:TCP:Services
"5368:TCP"= 5368:TCP:Services
"9236:TCP"= 9236:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/22/2010 6:43 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/22/2010 6:43 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/22/2010 6:43 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/22/2010 6:43 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/22/2010 7:07 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [6/22/2010 6:43 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [6/22/2010 6:43 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [6/22/2010 6:43 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [6/22/2010 6:43 AM 88480]
S2 gupdate1c9e65ed1002332;Google Update Service (gupdate1c9e65ed1002332);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2009 10:25 PM 133104]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/1/2009 9:13 AM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [6/22/2010 6:43 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/22/2010 6:43 AM 83496]
S3 Normandy;Normandy SR2; [x]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-06 04:23]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 04:25]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 04:25]

2010-07-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 21:23]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
IE: Google Sidewiki...
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Tatum\Application Data\Mozilla\Firefox\Profiles\i16elojt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.alot.com/?src_id=11009&client_id=a4f8a4e8046c6f7df8d27562&camp_id=861&install_time=2010-03-02T14:31Z&tb_version=2.4.2000%28F%29
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11009&client_id=a4f8a4e8046c6f7df8d27562&camp_id=861&install_time=2010-03-02T14:31Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - component: c:\documents and settings\Tatum\Application Data\Mozilla\Firefox\Profiles\i16elojt.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8556878A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761bf28
\Driver\ACPI -> ACPI.sys @ 0xf758ecb8
\Driver\atapi -> ntoskrnl.exe @ 0x805bdfb5
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b2
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b2
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x855ceb60
PacketIndicateHandler -> NDIS.sys @ 0xf73ddb21
SendHandler -> NDIS.sys @ 0xf73bb87b
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-07-19 23:06:17
ComboFix-quarantined-files.txt 2010-07-20 05:06
ComboFix2.txt 2010-07-07 14:51
ComboFix3.txt 2010-07-07 05:48
ComboFix4.txt 2010-07-07 04:32
ComboFix5.txt 2010-07-20 03:54

Pre-Run: 471,840,980,992 bytes free
Post-Run: 471,890,370,560 bytes free

- - End Of File - - C2BE3AF0A06B6970616B96ADA405E252


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 20 July 2010 - 01:14 AM

Greetings

HelpAsst_mebroot_fix
  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
  • mbr -f
  • Now, please do the Start>Run>mbr -f command a second time.
  • Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Honzer

Honzer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 21 July 2010 - 01:54 PM

C:\Documents and Settings\Tatum\Local Settings\Temporary Internet Files\Content.IE5\8CPIMATP\HelpAsst_mebroot_fix[1].exe
Wed 07/21/2010 at 11:43:37.35

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5546:TCP"=-
"9592:TCP"=-
"3389:TCP"=-
"4211:TCP"=-
"6922:TCP"=-
"6039:TCP"=-
"6040:TCP"=-
"5561:TCP"=-
"9622:TCP"=-
"9246:TCP"=-
"9247:TCP"=-
"5368:TCP"=-
"9236:TCP"=-
"9963:TCP"=-
"9964:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5546:TCP"=-
"9592:TCP"=-
"3389:TCP"=-
"4211:TCP"=-
"6922:TCP"=-
"6039:TCP"=-
"6040:TCP"=-
"5561:TCP"=-
"9622:TCP"=-
"9246:TCP"=-
"9247:TCP"=-
"5368:TCP"=-
"9236:TCP"=-
"9963:TCP"=-
"9964:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-583907252-1454471165-1417001333-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 07/21/2010 at 12:44:01.37

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 21 July 2010 - 04:20 PM

Hello

please rerun combofix


update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 25 July 2010 - 11:57 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Honzer

Honzer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 26 July 2010 - 04:32 PM

I will be away from the computer until next weekend. I appreciate your help. I will post the result of the last instructions when I get back.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:05 PM

Posted 26 July 2010 - 04:54 PM

busy.gif 8/1
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users