Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Unknown Dev Brings LibreOffice to Windows 10 via the Microsoft Store

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Rootkit Infection?

Started by lchop , Oct 17 2010 12:02 AM

This topic is locked

2 replies to this topic

#1 lchop

Members
2 posts
OFFLINE

Local time:07:21 PM

Posted 17 October 2010 - 12:02 AM

I'm the family member that gets called with all the pc problems. Lately alot of these calls have been about rouge AV infections. I've found that even when MBAM doesn't clear them out, combofix has. So b4 reading all your instructions I had already run combofix on a friends machine after super anti-spyware and mbam did not fully remove antivirus 8. It said it detected rootkit activity even though nothing obvious is showing in red with a GMER scan. After combofix finished I rebooted and it seems like it did the job. However,I ran combofix again and it is still saying detecting rootkit activity. So I came here for some help in reading the logs. I'm including all the logs your instructions ask for plus the combofix log. Is my friends machine still infected? Any help is appreciated!!

DDS (Ver_10-10-10.03) - NTFSx86
Run by nancy at 23:48:34.32 on Sat 10/16/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2999.2077 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\aestsrv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\STMicroelectronics\Accelerometer\InstallFilterService.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Verizon\VSP\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\nancy\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DigitalPersona Fingerprint Software Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli DPPWDFLT

============= SERVICES / DRIVERS ===============

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [2010-4-6 16176]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-20 214664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\AEstSrv.exe [2010-2-3 81920]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometer\InstallFilterService.exe [2010-4-6 60928]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-10-12 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-7-20 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-7-20 144704]
R2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-7-20 689392]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-4-16 173352]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-7-12 1656112]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2010-2-3 41648]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-4-6 29472]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\ctclsflt.sys [2010-4-6 143968]
R3 Impcd;Impcd;c:\windows\system32\drivers\impcd.sys [2010-2-3 125696]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-20 35272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-2-3 66592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-3 230912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\drivers\brserib.sys [2009-7-13 265088]
S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\drivers\brusbsib.sys [2009-7-13 11904]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\ctauddrv.sys [2010-4-6 134144]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-7-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-7-20 40552]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys [2010-2-3 171520]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-20 1343400]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-7-20 606736]

=============== Created Last 30 ================

2010-10-17 03:16:36 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-17 03:16:35 -------- d-----w- c:\users\nancy\appdata\local\temp
2010-10-17 02:53:28 -------- d-----w- C:\ComboFix
2010-10-16 21:47:37 -------- d-----w- c:\program files\Sophos
2010-10-15 17:11:11 -------- d-----w- c:\program files\CCleaner
2010-10-15 16:19:16 98816 ----a-w- c:\windows\sed.exe
2010-10-15 16:19:16 77312 ----a-w- c:\windows\MBR.exe
2010-10-15 16:19:16 256512 ----a-w- c:\windows\PEV.exe
2010-10-15 16:19:16 161792 ----a-w- c:\windows\SWREG.exe
2010-10-15 16:01:01 -------- d-----w- c:\windows\pss
2010-10-15 15:47:53 350720 ----a-w- c:\windows\system32\tpns.exe
2010-10-15 15:47:47 -------- d-----w- c:\progra~2\Update
2010-10-15 15:41:27 -------- d-----w- c:\users\nancy\appdata\roaming\Malwarebytes
2010-10-15 15:41:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 15:41:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 15:41:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 15:41:22 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-15 15:11:59 -------- d-----w- c:\users\nancy\appdata\roaming\SUPERAntiSpyware.com
2010-10-15 15:11:59 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-09-29 14:42:30 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

============= FINISH: 23:49:17.98 ===============

Here's the combofix log...

ComboFix 10-10-14.04 - nancy 10/16/2010 23:10:16.6.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2999.2176 [GMT -4:00]
Running from: c:\users\nancy\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-17 03:14 . 2010-10-17 03:14 -------- d-----w- c:\users\nancy\AppData\Local\temp
2010-10-17 03:14 . 2010-10-17 03:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-17 02:53 . 2010-10-17 02:53 -------- d-----w- C:\32788R22FWJFW
2010-10-16 21:47 . 2010-10-16 21:47 -------- d-----w- c:\program files\Sophos
2010-10-15 17:11 . 2010-10-15 17:11 -------- d-----w- c:\program files\CCleaner
2010-10-15 15:47 . 2010-10-15 15:48 350720 ----a-w- c:\windows\system32\tpns.exe
2010-10-15 15:47 . 2010-10-15 16:36 -------- d-----w- c:\programdata\Update
2010-10-15 15:41 . 2010-10-15 15:41 -------- d-----w- c:\users\nancy\AppData\Roaming\Malwarebytes
2010-10-15 15:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 15:41 . 2010-10-15 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 15:41 . 2010-10-15 15:41 -------- d-----w- c:\programdata\Malwarebytes
2010-10-15 15:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 15:11 . 2010-10-15 15:11 -------- d-----w- c:\users\nancy\AppData\Roaming\SUPERAntiSpyware.com
2010-10-15 15:11 . 2010-10-15 15:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-29 14:42 . 2010-06-19 06:15 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-10 1594664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-05 495708]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-12 13838952]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-12-12 92776]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2010-01-11 4281584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-12-02 649448]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-11-16 1176808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2009-10-17 7168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-20 795936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeFallProtection]
2009-07-22 12:52 2384896 ----a-w- c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe

R1 SASDIFSV;SASDIFSV;c:\users\nancy\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\nancy\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-11-30 60928]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\383E.tmp [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-08-10 171520]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-20 1343400]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [2009-11-27 16176]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\aestsrv.exe [2009-03-02 81920]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2010-05-20 88176]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [2010-01-11 689392]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-04-16 173352]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-07-13 1656112]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [2009-12-02 41648]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 143968]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-05 230912]

.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-20 07:35]

2010-07-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-20 07:35]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys stdflt.sys >>UNKNOWN [0x87F5B566]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\383E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(584)
c:\windows\system32\DPPWDFLT.DLL
.
Completion time: 2010-10-16 23:16:32
ComboFix-quarantined-files.txt 2010-10-17 03:16
ComboFix2.txt 2010-10-17 02:28
ComboFix3.txt 2010-10-15 17:27

Pre-Run: 273,118,044,160 bytes free
Post-Run: 273,057,173,504 bytes free

- - End Of File - - D8CBD4CFEF3F631F2E3B7FDAE292817D

Attached Files

ark.txt 96.54KB 1 downloads
Attach.txt 21.29KB 1 downloads

Edited by lchop, 17 October 2010 - 11:59 AM.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 lchop

Topic Starter

Members
2 posts
OFFLINE

Local time:07:21 PM

Posted 18 October 2010 - 02:36 PM

after some searching I suspected infection with TDSS root kit so I scanned with TDSSKiller, which did find the infection in the MBR and tried to cure it. But after the reboot Windows would not start and startup repair could not fix the problem. So now I am doing a factory restore. So I guess no more need to provide any assistance here.

Back to top

#3 Budapest

Bleepin' Cynic

Moderator
23,579 posts
OFFLINE

Gender:Male
Local time:09:21 AM

Posted 18 October 2010 - 04:19 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}