Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware, possible MBR rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 Infect_Ed

Infect_Ed

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 23 August 2010 - 09:27 PM

Good evening. I have a Windows XP SP3 machine that's been giving me grief. Not too long ago I was unable to connect to Windows Update. The Event Viewer also indicated that crypt32 "Failed auto update retrieval of third-party root list sequence number". I discovered I had the TDSS rootkit, and TDSSkiller removed it, restoring my ability to connect to it. Last week (August 17) the problem returned, only this time TDSSkiller didn't report any problems. On my own I installed ComboFix and ran it in Safe Mode. (I was actually trying to uninstall it with the /u parameter but it began executing, so I didn't want to kill it in the middle of its task.) I believe it reported Stealth/MBR rootkit hooks, but I'm not sure if it successfully cleaned it. Malwarebytes didn't report anything in Safe Mode, and Trend Micro Internet Security didn't either.

Symptoms noticed today:

1) Still cannot connect to Windows Update
2) Google searches for Windows Update (without a space) fail
3) I was getting dialog boxes stating unable to connect to some URL with non-displayable characters in it. Clicking OK or pressing the Escape key causes the home page (google) to open in a new window.
4) I could not post a message to this forum because the DDS log contained the words windows update (without a space)

I have not experienced any BSOD or other major failures.

I was able to run GMER and DDS successfully. The DDS log is pasted below, and the attach.txt and ark.txt files should be attached to this post.

Thanks in advance for your help!

One question: Is it safe to plug an external USB HD into the machine to back up data (mostly image files and emails), or could it be infected, too?

The following DDS log has entries that read "windows update" and "microsoft update". I had to insert the spaces to get them to post successfully. Please remove them for your own analysis.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 18:19:45.06 on Mon 08/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.465 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\belkin\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mups.lnk - c:\program files\belkin bulldog plus\MUPS.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows update/v6/V5Controls/en/x86/client/wuweb_site.cab?1258821659765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoft update/v6/V5Controls/en/x86/client/muweb_site.cab?1258821964984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpnsecure.hampdencorp.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {9D3053D8-2E7A-4521-A3F9-E92B215085F1} = 68.94.156.1,68.94.157.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\sbeerqs9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\ed\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2006-6-23 28672]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-10 50256]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-5-10 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-5-10 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-10 677128]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2006-6-23 6656]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-5-10 335376]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2002-8-16 88080]

=============== Created Last 30 ================

2010-08-18 03:34:50 0 d-sha-r- C:\cmdcons
2010-08-18 03:26:49 98816 ----a-w- c:\windows\sed.exe
2010-08-18 03:26:49 77312 ----a-w- c:\windows\MBR.exe
2010-08-18 03:26:49 256512 ----a-w- c:\windows\PEV.exe
2010-08-18 03:26:49 161792 ----a-w- c:\windows\SWREG.exe
2010-08-08 05:15:11 0 d-----w- c:\docume~1\ed\applic~1\Malwarebytes
2010-08-08 05:14:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 05:14:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 05:14:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-08 05:14:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 23:03:05 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-02 23:03:00 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-25 20:48:22 3245 ----a-w- c:\windows\system32\wbem\Outlook_01cb2c3ab82c8ca6.mof

==================== Find3M ====================

2010-08-07 02:59:06 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-07-05 15:20:02 50256 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-07-05 15:19:56 50256 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-07-05 15:19:50 154192 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-20 04:08:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-03-15 07:15:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031520090316\index.dat

============= FINISH: 18:21:05.71 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 30 August 2010 - 05:42 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 30 August 2010 - 08:33 AM

m0le,

Good morning! Yes, I'm here, and I'm still definitely looking for help. I am subscribed to the topic, and I know that works because I got the message about your post.

Just a general note: I will only be able to run scans and post logs during evening hours when I'm at home, but I'll try to get to them ASAP when requested.

Thanks,

Ed

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 30 August 2010 - 08:38 AM

Can you run Combofix in normal mode?


Posted Image
m0le is a proud member of UNITE

#5 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 30 August 2010 - 08:44 AM

QUOTE(m0le @ Aug 30 2010, 08:38 AM) View Post
Can you run Combofix in normal mode?


By normal mode, I assume you mean not safe mode, correct? I can try at home tonight, but when all this started and I tried to run it before posting here, it started but then just stopped without any messages before it got to any of the stages. I don't recall if I had disabled my TrendMicro at the time.

Do you want me to try to run ComboFix in normal mode?

Ed

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 30 August 2010 - 09:12 AM

Yes please, run it as below in normal mode.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


If this fails then run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 30 August 2010 - 09:57 PM

m0le,

Ok, I was able to download and run ComboFix (as comfix) in normal mode. Before I post the log, let me give you a few details:

Attempt #1. Starting from a fresh reboot, I turned off Trend Micro's "Protection Against Viruses & Spyware". I double-clicked the comfix.exe icon on the desktop. It created a system restore point, then started gathering information on any infections. At this point, Trend Micro's "Suspicious Program Activity" window popped up, announcing a program was updating the hosts file. I assumed it was ComboFix, so I clicked "Allow". ComboFix continued to gather information for awhile, then closed before it even showed having completed Stage 1. I waited a few minutes to make sure it wasn't going to try anything else, then I rebooted.

Attempt #2. Starting from this new reboot, I made sure TM's protection was off, then I took the additional step of ending it completely (Right-click the system tray icon and selected Exit), under the assumption TM's Suspicious Program Activity check was interfering with it. I double-clicked the comfix.exe icon again. I received no TM warnings, but ComboFix warned it detected rootkit activity and that a reboot was required. (I was expecting this.) The PC rebooted normally. When I logged back in, ComboFix immediately started up and began gathering/scanning. All was proceeding normally until Stage 30-something when another TM suspicious program activity warning pop-up showed up. Mbr.cfxxe wanted to create a new service, and I allowed it. Other popups appeared for CF23942.cfxxe duplicating a system file, grep.cfxxe modifying a system file, REGT.cfxxe modifying a security policy, REGT.cfxxe creating a new service. After all the popups went away, ComboFix ran for several more minutes and claimed to have finished successfully.

I looked at the security activities in Trend Micro, and of the above actions, it shows DENY for REGT.cfxxe modifying the hosts file and security policy, as well as grep.cfxxe modifying a system file. It would appear that Trend Micro's "Prevent Unauthorized Changes" was causing ComboFix not to do something. So, I rebooted.

Attempt #3. Starting from this new reboot, I made sure TM's virus and spyware protection was off, and also turned off "Prevent Unauthorized Changes", which I thought would've been turned off when I turned off the other protections. The firewall remained active. I double-clicked the comfix.exe icon again. I received no TM warnings, and again ComboFix warned it detected rootkit activity and that a reboot was required. The PC rebooted normally. When I logged back in, ComboFix immediately started up and began gathering/scanning. All stages completed without any TrendMicro pop-up windows and it finished successfully. It produced a 13K log file, seen at the end of this post.

I have, for the moment, reactivated my TrendMicro virus and spyware protection.

FYI, I may know the source of my woes. In my Internet Explorer browsing history and address bar history, there are references to a specific website that I am 99% sure I have never intentionally visited. That website is w w w 4 . r e d e n t i n e . c o m (spaces inserted by me).

Ed

ComboFix log
------------

ComboFix 10-08-30.02 - Ed 08/30/2010 21:14:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.657 [GMT -5:00]
Running from: c:\documents and settings\Ed\Desktop\comfix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.

2010-08-22 16:47 . 2010-08-22 16:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-08 05:15 . 2010-08-08 05:15 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes
2010-08-08 05:14 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 05:14 . 2010-08-08 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 05:14 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 05:14 . 2010-08-08 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 23:03 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-02 23:03 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 18:22 . 2006-07-16 06:10 -------- d-----w- c:\documents and settings\Ed\Application Data\WeatherBug
2010-08-07 02:59 . 2009-05-11 01:33 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-08-02 23:35 . 2008-08-12 02:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-20 03:32 . 2010-07-01 03:49 -------- d-----w- c:\program files\U-Verse Realtime
2010-07-14 11:51 . 2009-08-07 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-05 15:20 . 2009-05-11 01:35 50256 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-07-05 15:19 . 2009-05-11 01:35 50256 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-07-05 15:19 . 2009-05-11 01:35 154192 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-20 04:08 . 2010-06-20 04:08 503808 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16518595-n\msvcp71.dll
2010-06-20 04:08 . 2010-06-20 04:08 499712 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16518595-n\jmc.dll
2010-06-20 04:08 . 2010-06-20 04:08 348160 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16518595-n\msvcr71.dll
2010-06-20 04:08 . 2010-06-20 04:08 61440 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2451abc0-n\decora-sse.dll
2010-06-20 04:08 . 2010-06-20 04:08 12800 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2451abc0-n\decora-d3d.dll
2010-06-20 04:08 . 2010-06-20 04:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-15 00:23 . 2010-06-30 03:22 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe
2010-06-14 14:31 . 2006-06-24 01:55 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-08-22_16.43.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-03 16:51 . 2010-08-31 02:16 68156 c:\windows\system32\perfc009.dat
- 2002-09-03 16:51 . 2010-08-22 16:35 68156 c:\windows\system32\perfc009.dat
+ 2002-09-03 16:52 . 2010-08-31 02:16 435260 c:\windows\system32\perfh009.dat
- 2002-09-03 16:52 . 2010-08-22 16:35 435260 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2002-08-12 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2002-08-12 24626]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2002-08-12 45056]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2002-08-12 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-03 282624]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2005-07-04 311296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-09 86016]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2006-6-7 553021]
MUPS.lnk - c:\program files\Belkin Bulldog Plus\MUPS.exe [2006-7-12 49152]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-8-24 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
2002-01-17 04:49 163840 ----a-w- c:\windows\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 16:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [6/23/2006 9:49 PM 28672]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/10/2009 8:35 PM 50256]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/10/2009 8:36 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/10/2009 8:33 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/10/2009 8:36 PM 677128]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [6/23/2006 9:49 PM 6656]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/10/2009 8:33 PM 335376]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [8/16/2002 12:09 AM 88080]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: musicmatch.com\online
TCP: {9D3053D8-2E7A-4521-A3F9-E92B215085F1} = 68.94.156.1,68.94.157.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpnsecure.hampdencorp.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\sbeerqs9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86B39ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7525f28
\Driver\ACPI -> ACPI.sys @ 0xf7498cb8
\Driver\atapi -> atapi.sys @ 0xf7450852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1952)
c:\windows\system32\WININET.dll
c:\windows\system32\l3codecx.acm

- - - - - - - > 'lsass.exe'(2012)
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-30 21:31:53
ComboFix-quarantined-files.txt 2010-08-31 02:31
ComboFix2.txt 2010-08-31 01:27
ComboFix3.txt 2010-08-23 02:59
ComboFix4.txt 2010-08-22 16:49

Pre-Run: 68,033,966,080 bytes free
Post-Run: 68,023,214,080 bytes free

- - End Of File - - 242A2A69905843275E66DBB82706558D


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 31 August 2010 - 05:43 PM

I would like to see an MBRCheck log too actually.

Instructions are above under the Combofix instructions
Posted Image
m0le is a proud member of UNITE

#9 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 31 August 2010 - 08:21 PM

m0le,

Sorry about that. I thought you only wanted the MBRCheck log if ComboFix failed.

I ran MBRCheck. It reported a non-standard or infected MBR, then asked me to press "Y" for more options or "N" to exit. I assume you wanted me to press "N", so I did.

Ed

The log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 153):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x86862000 \WINDOWS\system32\KDCOM.DLL
0xF78F5000 \WINDOWS\system32\BOOTVID.dll
0xF7492000 ACPI.sys
0xF79E1000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7481000 pci.sys
0xF74E1000 isapnp.sys
0xF78F9000 compbatt.sys
0xF78FD000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF79E3000 intelide.sys
0xF7761000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74F1000 MountMgr.sys
0xF7462000 ftdisk.sys
0xF7769000 PartMgr.sys
0xF7501000 VolSnap.sys
0xF744A000 atapi.sys
0xF7511000 disk.sys
0xF7521000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF742A000 fltmgr.sys
0xF7418000 sr.sys
0xF7771000 PxHelp20.sys
0xF7401000 KSecDD.sys
0xF7374000 Ntfs.sys
0xF7347000 NDIS.sys
0xF732D000 Mup.sys
0xF7531000 agp440.sys
0xF75D1000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF65C8000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF65B4000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7841000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF6590000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7849000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF656A000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF645F000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF63D5000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7851000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6299000 \SystemRoot\system32\drivers\P16X.sys
0xF6276000 \SystemRoot\system32\drivers\ks.sys
0xF6252000 \SystemRoot\system32\drivers\portcls.sys
0xF7631000 \SystemRoot\system32\drivers\drmk.sys
0xF72DC000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF622F000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF7859000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7641000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7A2F000 \SystemRoot\System32\DRIVERS\msikbd2k.sys
0xF7861000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7651000 \SystemRoot\System32\DRIVERS\serial.sys
0xF72D8000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF621B000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7661000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7671000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF7681000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7691000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF6202000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7869000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF6135000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF6117000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF76A1000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
0xF7B50000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF76B1000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF6964000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6100000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF76C1000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF76D1000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7871000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF60EF000 \SystemRoot\System32\DRIVERS\psched.sys
0xF76E1000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7879000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7881000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF76F1000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7889000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7A35000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF6091000 \SystemRoot\System32\DRIVERS\update.sys
0xF695C000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF5EDA000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF78D9000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF4D8B000 \SystemRoot\system32\drivers\btaudio.sys
0xF7701000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7711000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A3B000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF79A9000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF78E9000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7A65000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B6D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A67000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7791000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7799000 \SystemRoot\System32\drivers\vga.sys
0xF7A69000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A6B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF4CC1000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF77A1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77A9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4C7C000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF72E4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF4C57000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF4BFE000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF4BD6000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF4BB4000 \SystemRoot\System32\drivers\afd.sys
0xF6BB1000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF4BA2000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF4B77000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF4D77000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xF4ADF000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF6B81000 \SystemRoot\System32\Drivers\Fips.SYS
0xF4AB9000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF6B71000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF4D3F000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF6B51000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF77B9000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xF6B41000 \SystemRoot\System32\Drivers\btwusb.sys
0xF77E9000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF4D37000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7809000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF49B8000 \SystemRoot\system32\DRIVERS\CamDrL21.sys
0xF6B31000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF7811000 \SystemRoot\system32\DRIVERS\USBCAMD.SYS
0xF4987000 \SystemRoot\system32\DRIVERS\lvsvf.dll
0xF6B21000 \SystemRoot\system32\drivers\usbaudio.sys
0xF7839000 \SystemRoot\system32\DRIVERS\btport.sys
0xF4969000 \SystemRoot\system32\DRIVERS\btwdndis.sys
0xF7571000 \SystemRoot\system32\DRIVERS\btwhid.sys
0xF7891000 \SystemRoot\system32\DRIVERS\btwmodem.sys
0xF4951000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A9F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4AA9000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7899000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AD0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF75A1000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xBA37E000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xBA335000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
0xBA4C0000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBA150000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7A79000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA0FD000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xBA285000 \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys
0xBA04A000 \??\C:\WINDOWS\system32\drivers\tmactmon.sys
0xB9F42000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xB9E11000 \SystemRoot\System32\Drivers\HTTP.sys
0xB9FF6000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xB9D92000 \SystemRoot\System32\DRIVERS\srv.sys
0xF7A89000 \??\C:\WINDOWS\System32\PfModNT.sys
0xB9CF6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB9D22000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xB8DB1000 \SystemRoot\system32\drivers\wdmaud.sys
0xB997E000 \SystemRoot\system32\drivers\sysaudio.sys
0xB898F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB7D1B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
1416 C:\WINDOWS\system32\smss.exe
1664 csrss.exe
1952 C:\WINDOWS\system32\winlogon.exe
2000 C:\WINDOWS\system32\services.exe
2012 C:\WINDOWS\system32\lsass.exe
332 C:\WINDOWS\system32\svchost.exe
392 svchost.exe
880 C:\WINDOWS\system32\svchost.exe
964 svchost.exe
1304 svchost.exe
1496 C:\WINDOWS\system32\spoolsv.exe
1588 svchost.exe
1620 C:\WINDOWS\Nhksrv.exe
1680 C:\Program Files\Trend Micro\BM\TMBMSRV.exe
1696 C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
1768 C:\WINDOWS\system32\CTsvcCDA.EXE
1796 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1824 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
268 C:\WINDOWS\system32\nvsvc32.exe
492 C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
676 C:\WINDOWS\system32\svchost.exe
852 C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
1364 C:\PROGRA~1\TRENDM~1\INTERN~1\TmProxy.exe
1856 C:\Program Files\UPHClean\uphclean.exe
772 C:\Program Files\Belkin Bulldog Plus\upsd.exe
2144 C:\WINDOWS\system32\MsPMSPSv.exe
2276 C:\Program Files\Canon\CAL\CALMAIN.exe
3084 alg.exe
3056 C:\WINDOWS\explorer.exe
3216 C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
3404 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
3512 C:\WINDOWS\system32\rundll32.exe
3536 C:\Program Files\Microsoft IntelliType Pro\itype.exe
3548 C:\WINDOWS\MMKeybd.exe
3560 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
3568 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
3692 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
3968 C:\Program Files\AWS\WeatherBug\Weather.exe
3976 C:\WINDOWS\system32\ctfmon.exe
4008 C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
4092 C:\Program Files\Netropa\OSD.exe
972 C:\Program Files\Belkin Bulldog Plus\MUPS.exe
2772 C:\Program Files\Belkin\Bluetooth Software\BTStackServer.exe
2916 C:\Program Files\Internet Explorer\iexplore.exe
3844 C:\Program Files\Internet Explorer\iexplore.exe
3260 C:\WINDOWS\system32\wscntfy.exe
2292 C:\Documents and Settings\Ed\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200JB-00REA0, Rev: 20.00K20

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 01 September 2010 - 05:40 PM

QUOTE
Sorry about that. I thought you only wanted the MBRCheck log if ComboFix failed.


No, that's right. The Combofix log meant I needed the MBRCheck log too. smile.gif

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#11 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 01 September 2010 - 07:23 PM

I ran MBRCheck and selected Option 0 (Default) for Windows XP when it showed the list of MBR codes. I rebooted successfully and reran MBRCheck, and it still says the MBR is non-standard or faked.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 153):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x86841000 \WINDOWS\system32\KDCOM.DLL
0xF78F5000 \WINDOWS\system32\BOOTVID.dll
0xF7492000 ACPI.sys
0xF79E1000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7481000 pci.sys
0xF74E1000 isapnp.sys
0xF78F9000 compbatt.sys
0xF78FD000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF79E3000 intelide.sys
0xF7761000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74F1000 MountMgr.sys
0xF7462000 ftdisk.sys
0xF7769000 PartMgr.sys
0xF7501000 VolSnap.sys
0xF744A000 atapi.sys
0xF7511000 disk.sys
0xF7521000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF742A000 fltmgr.sys
0xF7418000 sr.sys
0xF7771000 PxHelp20.sys
0xF7401000 KSecDD.sys
0xF7374000 Ntfs.sys
0xF7347000 NDIS.sys
0xF732D000 Mup.sys
0xF7531000 agp440.sys
0xF7571000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF6634000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF6620000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7851000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF65FC000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7859000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF65D6000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF64CB000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF6441000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7861000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6305000 \SystemRoot\system32\drivers\P16X.sys
0xF62E2000 \SystemRoot\system32\drivers\ks.sys
0xF62BE000 \SystemRoot\system32\drivers\portcls.sys
0xF7581000 \SystemRoot\system32\drivers\drmk.sys
0xF79D9000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF629B000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF7869000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7591000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7A1B000 \SystemRoot\System32\DRIVERS\msikbd2k.sys
0xF7871000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF75A1000 \SystemRoot\System32\DRIVERS\serial.sys
0xF79DD000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF6287000 \SystemRoot\System32\DRIVERS\parport.sys
0xF75B1000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF75C1000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF75D1000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF75E1000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF626E000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7879000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF61A1000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF6183000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF75F1000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
0xF7B3A000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7601000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF72F0000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF616C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7611000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7621000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7881000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF615B000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7631000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7889000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7891000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7641000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7899000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7A21000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF60FD000 \SystemRoot\System32\DRIVERS\update.sys
0xF72E8000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF5F46000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF78E9000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF4DF7000 \SystemRoot\system32\drivers\btaudio.sys
0xF7661000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7671000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A2B000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF797D000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7789000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7A2F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B07000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A31000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7799000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF77A1000 \SystemRoot\System32\drivers\vga.sys
0xF7A33000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF4D2D000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF77A9000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77B1000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4CE8000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF79A9000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF4CC3000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF4C6A000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF4C42000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF4C20000 \SystemRoot\System32\drivers\afd.sys
0xF76A1000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF4C0E000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF4BE3000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF79C5000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xF4B4B000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF76D1000 \SystemRoot\System32\Drivers\Fips.SYS
0xF4B25000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF76E1000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF4DE3000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7711000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF77B9000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xF7721000 \SystemRoot\System32\Drivers\btwusb.sys
0xF77D1000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF4DDB000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF77D9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF4A24000 \SystemRoot\system32\DRIVERS\CamDrL21.sys
0xF7741000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF77E1000 \SystemRoot\system32\DRIVERS\USBCAMD.SYS
0xF49F3000 \SystemRoot\system32\DRIVERS\lvsvf.dll
0xF7751000 \SystemRoot\system32\drivers\usbaudio.sys
0xF77E9000 \SystemRoot\system32\DRIVERS\btport.sys
0xF49D5000 \SystemRoot\system32\DRIVERS\btwdndis.sys
0xF6BBA000 \SystemRoot\system32\DRIVERS\btwhid.sys
0xF77F1000 \SystemRoot\system32\DRIVERS\btwmodem.sys
0xF49BD000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A59000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4D8F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7801000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BDC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7551000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xBA37E000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xBA335000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
0xBA4C4000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBA150000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF79F7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA0FD000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xBA5B8000 \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys
0xBA04A000 \??\C:\WINDOWS\system32\drivers\tmactmon.sys
0xB9F42000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xB9E11000 \SystemRoot\System32\Drivers\HTTP.sys
0xB9FF2000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xB9D92000 \SystemRoot\System32\DRIVERS\srv.sys
0xF7A0B000 \??\C:\WINDOWS\System32\PfModNT.sys
0xB9CF6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB9D3A000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xB9081000 \SystemRoot\system32\drivers\wdmaud.sys
0xB99EE000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8C47000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB7C01000
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
1416 C:\WINDOWS\system32\smss.exe
1664 csrss.exe
1952 C:\WINDOWS\system32\winlogon.exe
2000 C:\WINDOWS\system32\services.exe
2012 C:\WINDOWS\system32\lsass.exe
332 C:\WINDOWS\system32\svchost.exe
392 svchost.exe
876 C:\WINDOWS\system32\svchost.exe
960 svchost.exe
1188 svchost.exe
1492 C:\WINDOWS\system32\spoolsv.exe
1588 svchost.exe
1620 C:\WINDOWS\Nhksrv.exe
1680 C:\Program Files\Trend Micro\BM\TMBMSRV.exe
1696 C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
1768 C:\WINDOWS\system32\CTsvcCDA.EXE
1796 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1824 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
344 C:\WINDOWS\system32\nvsvc32.exe
484 C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
676 C:\WINDOWS\system32\svchost.exe
852 C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
1320 C:\PROGRA~1\TRENDM~1\INTERN~1\TmProxy.exe
464 C:\Program Files\UPHClean\uphclean.exe
668 C:\Program Files\Belkin Bulldog Plus\upsd.exe
2148 C:\WINDOWS\system32\MsPMSPSv.exe
2292 C:\Program Files\Canon\CAL\CALMAIN.exe
2360 C:\WINDOWS\system32\wuauclt.exe
2808 C:\WINDOWS\explorer.exe
3224 C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
3288 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
3340 C:\WINDOWS\system32\rundll32.exe
3348 C:\Program Files\Microsoft IntelliType Pro\itype.exe
3356 C:\WINDOWS\MMKeybd.exe
3364 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
3372 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
3380 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
3388 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3396 C:\Program Files\AWS\WeatherBug\Weather.exe
3604 C:\WINDOWS\system32\ctfmon.exe
3932 C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
3948 C:\Program Files\Belkin Bulldog Plus\MUPS.exe
4016 alg.exe
1264 C:\Program Files\Belkin\Bluetooth Software\BTStackServer.exe
2228 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
2784 C:\Program Files\Netropa\OSD.exe
592 wmiprvse.exe
1340 C:\Documents and Settings\Ed\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200JB-00REA0, Rev: 20.00K20

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 01 September 2010 - 07:38 PM

MBRCheck isn't always able to fix the problem that it has found. We need to use a more manual way.

Locate your XP disk. If you can't find it then follow the instructions to burn one below.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.


    When you have the disk do the following:
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type fixmbr and hit enter.

Type exit to exit and restart your PC.

Now please run MBRCheck and post the log.

Edited by m0le, 01 September 2010 - 07:39 PM.

Posted Image
m0le is a proud member of UNITE

#13 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 01 September 2010 - 11:27 PM

m0le,

Ah, much better! clapping.gif MBRCheck detected a Windows XP MBR.

I have a Windows XP SP1 disc, but I read that using the SP1 disc on SP3 either won't work or just isn't a good idea. So, I downloaded the ISO image and burned it to CD. Thanks for that. I rebooted to CD and started Recovery Console. The prompts weren't exactly as you described, but it wasn't a problem to figure out. The big warning about ruining my MBR with fixmbr, though, did give me a momentary pause, but I went ahead and answered "Y" to the "Are you sure..." question.

Just for kicks, I've rerun MBRCheck three times since rebooting, and each time it came back as a good MBR. In other good news, Windows Automatic Updates appears to be functioning again. I'll hold off on installing the updates until we're done here.

Ed

Here's the most recent MBRCheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 152):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF79E1000 \WINDOWS\system32\KDCOM.DLL
0xF78F1000 \WINDOWS\system32\BOOTVID.dll
0xF7492000 ACPI.sys
0xF79E3000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7481000 pci.sys
0xF74E1000 isapnp.sys
0xF78F5000 compbatt.sys
0xF78F9000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF79E5000 intelide.sys
0xF7761000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74F1000 MountMgr.sys
0xF7462000 ftdisk.sys
0xF7769000 PartMgr.sys
0xF7501000 VolSnap.sys
0xF744A000 atapi.sys
0xF7511000 disk.sys
0xF7521000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF742A000 fltmgr.sys
0xF7418000 sr.sys
0xF7771000 PxHelp20.sys
0xF7401000 KSecDD.sys
0xF7374000 Ntfs.sys
0xF7347000 NDIS.sys
0xF732D000 Mup.sys
0xF7531000 agp440.sys
0xF7591000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF664C000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF6638000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7821000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF6614000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7829000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF65EE000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF64E3000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF6459000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7831000 \SystemRoot\System32\Drivers\Modem.SYS
0xF631D000 \SystemRoot\system32\drivers\P16X.sys
0xF62FA000 \SystemRoot\system32\drivers\ks.sys
0xF62D6000 \SystemRoot\system32\drivers\portcls.sys
0xF75A1000 \SystemRoot\system32\drivers\drmk.sys
0xF72F8000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF62B3000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF7839000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF75B1000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7A0F000 \SystemRoot\System32\DRIVERS\msikbd2k.sys
0xF7841000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF75C1000 \SystemRoot\System32\DRIVERS\serial.sys
0xF72F4000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF629F000 \SystemRoot\System32\DRIVERS\parport.sys
0xF75D1000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF75E1000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF75F1000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7601000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF624A000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7849000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF617D000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF615F000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF7611000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
0xF7AD7000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7621000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF72E8000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6148000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7631000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7641000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7851000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF6137000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7651000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7859000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7861000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7661000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7869000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7A15000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF60D9000 \SystemRoot\System32\DRIVERS\update.sys
0xF69EC000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF5F22000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF7871000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF4DD3000 \SystemRoot\system32\drivers\btaudio.sys
0xF7671000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7681000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7A17000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7979000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7879000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7A1B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C33000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A1D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7889000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7891000 \SystemRoot\System32\drivers\vga.sys
0xF7A1F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A21000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF4D09000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF7899000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78A1000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4CC4000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF79A5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF4C9F000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF4C46000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF4C1E000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF4BFC000 \SystemRoot\System32\drivers\afd.sys
0xF76B1000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF4BEA000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF4BBF000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF79C1000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xF4B27000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF76E1000 \SystemRoot\System32\Drivers\Fips.SYS
0xF4B01000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF76F1000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF4DCB000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7711000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF78A9000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xF7721000 \SystemRoot\System32\Drivers\btwusb.sys
0xF7731000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF78C1000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF4DBF000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF78C9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF4A00000 \SystemRoot\system32\DRIVERS\CamDrL21.sys
0xF7741000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF78D1000 \SystemRoot\system32\DRIVERS\USBCAMD.SYS
0xF49CF000 \SystemRoot\system32\DRIVERS\lvsvf.dll
0xF7751000 \SystemRoot\system32\drivers\usbaudio.sys
0xF78D9000 \SystemRoot\system32\DRIVERS\btport.sys
0xF49B1000 \SystemRoot\system32\DRIVERS\btwdndis.sys
0xF6BBA000 \SystemRoot\system32\DRIVERS\btwhid.sys
0xF78E1000 \SystemRoot\system32\DRIVERS\btwmodem.sys
0xF4999000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A39000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4D83000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78E9000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AE7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF4AB9000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xBA3A6000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xBA335000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
0xF4AED000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBA178000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7A8B000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA125000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xBA2AD000 \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys
0xBA072000 \??\C:\WINDOWS\system32\drivers\tmactmon.sys
0xB9F6A000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xB9E61000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA02E000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xF7A95000 \??\C:\WINDOWS\System32\PfModNT.sys
0xB9DBA000 \SystemRoot\System32\DRIVERS\srv.sys
0xB9CA6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB9D92000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xB9009000 \SystemRoot\system32\drivers\wdmaud.sys
0xB98BE000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
1416 C:\WINDOWS\system32\smss.exe
1664 csrss.exe
1692 C:\WINDOWS\system32\winlogon.exe
1996 C:\WINDOWS\system32\services.exe
2008 C:\WINDOWS\system32\lsass.exe
324 C:\WINDOWS\system32\svchost.exe
380 svchost.exe
860 C:\WINDOWS\system32\svchost.exe
928 svchost.exe
1264 svchost.exe
1452 C:\WINDOWS\system32\spoolsv.exe
1548 svchost.exe
1580 C:\WINDOWS\Nhksrv.exe
1648 C:\Program Files\Trend Micro\BM\TMBMSRV.exe
1660 C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
1704 C:\WINDOWS\system32\CTsvcCDA.EXE
1756 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1788 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
1936 C:\WINDOWS\system32\nvsvc32.exe
264 C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
556 C:\WINDOWS\system32\svchost.exe
668 C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
1516 C:\PROGRA~1\TRENDM~1\INTERN~1\TmProxy.exe
192 C:\Program Files\UPHClean\uphclean.exe
548 C:\Program Files\Belkin Bulldog Plus\upsd.exe
1188 C:\WINDOWS\system32\MsPMSPSv.exe
1500 C:\Program Files\Canon\CAL\CALMAIN.exe
2808 alg.exe
3912 C:\WINDOWS\explorer.exe
788 C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
1312 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
1348 C:\WINDOWS\system32\rundll32.exe
1380 C:\Program Files\Microsoft IntelliType Pro\itype.exe
1168 C:\WINDOWS\MMKeybd.exe
1800 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
1816 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
2180 C:\Program Files\AWS\WeatherBug\Weather.exe
732 C:\WINDOWS\system32\ctfmon.exe
2252 C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
2260 C:\Program Files\Belkin Bulldog Plus\MUPS.exe
2984 C:\Program Files\Belkin\Bluetooth Software\BTStackServer.exe
3120 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
3244 C:\Program Files\Netropa\OSD.exe
3784 C:\Program Files\Internet Explorer\iexplore.exe
2284 C:\Program Files\Internet Explorer\iexplore.exe
3568 wmiprvse.exe
2624 C:\WINDOWS\system32\wuauclt.exe
3860 C:\Documents and Settings\Ed\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200JB-00REA0, Rev: 20.00K20

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:26 AM

Posted 02 September 2010 - 01:33 PM

That's better. You can go ahead and install the updates when I give the all-clear. thumbup2.gif

Please run ESET's online scan for a final sweep
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#15 Infect_Ed

Infect_Ed
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 02 September 2010 - 02:12 PM

Thanks, m0le. I'll run this tonight from home.

It's not stated, so I figured I should ask. Do I need to disable any portion of my Trend Micro Internet Security for this to work?

Ed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users