Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Zbot infection on Windows 2003 terminal server.

  • Please log in to reply
5 replies to this topic

#1 ghacker


  • Members
  • 3 posts
  • Local time:01:29 PM

Posted 28 December 2010 - 11:55 AM

Hello all, I'm a long time lurker but first time poster. I used to consider myself fairly competent in exorcising malware demons from people's PCs (I certainly have enough people bringing them to me for that purpose) but my old tricks don't seem to be keeping pace with the new threats. Recently we had a Zbot outbreak on our network that pointed out glaring security holes in our defenses that existed due to lack of administrative manpower and an ill-advised managerial directive to favor data accessibility and application communication over proper security practices. After three of us losing an entire weekend to isolation, cleanup, and reimaging of servers where necessary we are changing our ways and have all servers running the latest McAfee Virusscan Enterprise with maximum protection, have closed down shares of system volumes, and have a renewed focus on proper security practices.

That being said, we are still not completely rid of the Zbot infection. The terminal server upon which we conduct our day to day activities (not online banking for now for obvious reasons) is still attempting to infect the executables of other servers on the network (one in particular seems to be its primary target). The McAfee on-access scanner on that server seems to be detecting and cleaning the infections, but some evil is definitely still at work - in TCPview I can see connections being established with unknown IPs (one of them in Russia) which are definitely not legitimate traffic. Not to mention the fraudulent charge that showed up on my corporate credit card. I have tried to watch for suspicious activity in Process Explorer but don't really know what to look for.

The odd thing (not odd for a virus I guess but perplexing and annoying) is that nothing we've tried can find a problem on the terminal server in question. We have done in-depth scanning with McAfee and the command line scanner and various other tools (GetSusp, autoruns, GMER) under the direction of McAfee support and cannot find the source of the unauthorized activity. I for my own part have tried a number of tools that have been helpful with PCs (SuperAntiSpyware, MBAM, and Spybot) and while the first scan with SAS cleaned up the usual web surfing crap subsequent scans with MBAM and Spybot came back clean. I don't think it would be advisable to run ComboFix on a terminal server, as its use even on a PC is recommended only under the guidance of a trained security professional. I have looked in the most obvious places for rogue programs starting with Windows but I just cannot find it. McAfee will not escalate the case until we can provide a malicious sample which is a huge catch 22 since neither the software, the first-level tech nor we can determine which is the malicious file.

I just don't know what else to try at this point, so I am humbly submitting this request for assistance. It seems that our Zbot variant is completely evading detection on the terminal server - I have read that even with a fully patched OS and up to date antivirus the detection rate for this virus is less than 50% and likely closer to 25%. I would appreciate any input that might help us in isolating and removing the infection, whether it be another program to try, another place to look, or a procedure to follow. I will be somewhat limited in what I can do immediately by this being a production server but will attempt to perform any suggested procedures remotely after hours. Thanks in advance for your help - I know someone out there must have the knowledge, skills, and tools to find this thing and kill it. Bonus points and a beer to anyone who can ship me the head of the bastard who coded the Zbot construction kit in a box with a pretty Christmas bow on it. I want the last three weeks of my life back!

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:02:29 PM

Posted 28 December 2010 - 04:26 PM

Hello,I would like to run 2 tools and see if there is improvement.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller. will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ghacker

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:29 PM

Posted 29 December 2010 - 06:22 PM

:thumbup2: Well TDSSKiller found nothing but the ESET online scanner did find some threats that were overlooked by previous scans and things seem to be looking up - there have been no on-access detections on the server where we had been receiving them before moving the files ESET found. This is kind of ironic really, because we have a VPN and domain trust with one of our clients and they too fell prey to this outbreak. The ironic part is that I had most of their PCs and servers running ESET NOD32 Antivirus v4 and had just recently renewed their license for three years. When the systems were still heavily infected and many, many critical .exe's were compromised we deemed ESET unusable for cleanup because it did not offer an option to clean the files - only delete. We removed ESET and put McAfee on everything since it seemed to be doing a better job of cleaning the .exe's. Now that the .exe's are cleaned up for the most part and McAfee can't find the dropper that keeps trying to reinfect them, ESET is back to save the day by finding the droppers. McAfee support also came back to us with a couple of files deemed suspicious not by any of their scanning tools but by human analysis of some logs we sent them and these were not detected by ESET either. I guess it just goes to show that the modern threats require the right mix of tools, knowledge, and a little bit of luck. Thank you so much for pointing me in the right direction!

TDSSKiller log:

2010/12/29 01:04:17.0188 TDSS rootkit removing tool Dec 16 2010 09:46:46
2010/12/29 01:04:17.0188 ================================================================================
2010/12/29 01:04:17.0188 SystemInfo:
2010/12/29 01:04:17.0188
2010/12/29 01:04:17.0188 OS Version: 5.2.3790 ServicePack: 2.0
2010/12/29 01:04:17.0204 Product type: Server
2010/12/29 01:04:17.0204 ComputerName: EPTS1
2010/12/29 01:04:17.0204 UserName: administrator
2010/12/29 01:04:17.0204 Windows directory: C:\Documents and Settings\administrator.EFCPART\WINDOWS
2010/12/29 01:04:17.0204 System windows directory: C:\WINDOWS
2010/12/29 01:04:17.0204 Processor architecture: Intel x86
2010/12/29 01:04:17.0204 Number of processors: 4
2010/12/29 01:04:17.0204 Page size: 0x1000
2010/12/29 01:04:17.0204 Boot type: Normal boot
2010/12/29 01:04:17.0204 ================================================================================
2010/12/29 01:04:17.0501 Initialize success
2010/12/29 01:06:13.0751 ================================================================================
2010/12/29 01:06:13.0751 Scan started
2010/12/29 01:06:13.0751 Mode: Manual;
2010/12/29 01:06:13.0751 ================================================================================
2010/12/29 01:06:14.0189 ACPI (a0a850bac6f8a88ad0fc964c6bea170d) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/29 01:06:14.0330 ACPIEC (043c89cc533ff546d835cb998b95b198) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/29 01:06:14.0517 adpu160m (bbe35985c5e9e5ed87b8c1dad5b7d725) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/29 01:06:14.0642 adpu320 (5a23754571bbfa93564c04e7a20b1762) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2010/12/29 01:06:14.0783 afcnt (2dad567d6c05b12db4567860a6256ac2) C:\WINDOWS\system32\DRIVERS\afcnt.sys
2010/12/29 01:06:14.0970 AFD (3b144724ac4540a367e6dc134bacd6aa) C:\WINDOWS\System32\drivers\afd.sys
2010/12/29 01:06:15.0173 agp440 (b9985042687a43685fc64b282b627653) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/29 01:06:15.0298 agpCPQ (4139c312858d6050489ade2984ceb648) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/29 01:06:15.0439 aic78u2 (b06e2a2a7ceb0ef894520cafc2f1feaf) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/29 01:06:15.0564 aic78xx (ec7d7f96e97bad83a0b8a96969d19f2d) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/29 01:06:15.0705 AliIde (4790a743b00358c186e19f6b49791d6a) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/29 01:06:15.0830 alim1541 (91b0a16ef9fc504865a94bbdb4623a1f) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/29 01:06:15.0970 AlKernel (06112696a1b06692939cf087d1f1c84e) C:\WINDOWS\system32\Drivers\AlKernel.sys
2010/12/29 01:06:16.0111 amdagp (557eaea1343554571456dc363feed2ee) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/29 01:06:16.0236 AmdIde (d175d3c400a412b9cb2095e452afbbb0) C:\WINDOWS\system32\DRIVERS\amdide.sys
2010/12/29 01:06:16.0376 arc (a9c7273645a06a01ac2ca070d7d7ec87) C:\WINDOWS\system32\DRIVERS\arc.sys
2010/12/29 01:06:16.0533 AsyncMac (a35b971f631d4dfdeb68d71e770d2ce9) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/29 01:06:16.0673 atapi (ff953a8f08ca3f822127654375786bbe) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/29 01:06:16.0955 ati2mpad (8032016269422141c762552d5836d7ad) C:\WINDOWS\system32\DRIVERS\ati2mpad.sys
2010/12/29 01:06:17.0111 ati2mtag (dcd26b36ce305b718e2f1c56c19df668) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/29 01:06:17.0236 Atmarpc (d12dad5032285343ce3aa4906f661181) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/29 01:06:17.0377 audstub (5bfd980c2107d88101d1dc14055526fc) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/29 01:06:17.0502 awecho (7305e36433ae7ce4a878ccc900bcf2a8) C:\WINDOWS\system32\drivers\awechomd.sys
2010/12/29 01:06:17.0642 awlegacy (1464f3daf223e7a204baf1b556ee7769) C:\WINDOWS\System32\Drivers\awlegacy.sys
2010/12/29 01:06:17.0845 AW_HOST (71c32536b50136e9e439306a2e9296e2) C:\WINDOWS\system32\drivers\aw_host5.sys
2010/12/29 01:06:17.0986 Beep (99572503e15a3d10239b7b9887cbaf89) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/29 01:06:18.0236 cbidf (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/29 01:06:18.0377 cbidf2k (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/29 01:06:18.0517 cd20xrnt (431d1b3dc3de617da27055c87b424a21) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/29 01:06:18.0658 Cdfs (e6d72780c957b69c48bfc66bc3ecdad4) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/29 01:06:18.0877 Cdrom (825aa877a852ecc731fa0c39c8c37744) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/29 01:06:19.0158 ClusDisk (54308cdf97622fae1620bb1ec39ef014) C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
2010/12/29 01:06:19.0298 CmdIde (c40fb2610969b282cb0873ca8030a884) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/29 01:06:19.0439 Cpqarray (126d049a6e6b6cb8df1c69d3e2a8c0c4) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/29 01:06:19.0580 cpqarry2 (d31cb94a4acad58abb6cf74b7ef1ce1f) C:\WINDOWS\system32\DRIVERS\cpqarry2.sys
2010/12/29 01:06:19.0705 cpqcissm (0c5dcc2df112b7352b9427d943cf56bc) C:\WINDOWS\system32\DRIVERS\cpqcissm.sys
2010/12/29 01:06:19.0845 cpqfcalm (fed86c9f250fc641b37c933e4c214a8a) C:\WINDOWS\system32\DRIVERS\cpqfcalm.sys
2010/12/29 01:06:20.0048 crcdisk (0ee27d9dbb208c13314f3c60f66aed26) C:\WINDOWS\system32\DRIVERS\crcdisk.sys
2010/12/29 01:06:20.0189 dac2w2k (8ce90c5c311592273ab0fb39a2d23896) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/29 01:06:20.0314 dac960nt (19b8202934b660c4ec2e64354437a854) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/29 01:06:20.0470 dellcerc (264e592a99801b682c98984588a7d7b5) C:\WINDOWS\system32\DRIVERS\dellcerc.sys
2010/12/29 01:06:20.0611 DfsDriver (444726b01c31d29c70e60f7c35de43e5) C:\WINDOWS\system32\drivers\Dfs.sys
2010/12/29 01:06:20.0752 Disk (98433302c02f1168efb7364f8111a179) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/29 01:06:20.0908 dmboot (89fa376d83042f6f1aed505106a5719d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/29 01:06:21.0033 dmio (15081421ee62dc1c95abb387d9081571) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/29 01:06:21.0173 dmload (3d9bfa13b6f1cd2d91c50c52b32e91a2) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/29 01:06:21.0314 dpti2o (110406bc22a72e2dcbb0a86e0542ab1c) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/29 01:06:21.0455 E1000 (73c0eef62ad50c7ff7a4b1ec9321af9f) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/12/29 01:06:21.0736 Fastfat (e792a18abdc32286212dce8e75baa124) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/29 01:06:21.0955 Fdc (5090cd3f6ab1d71ad507953cff556ea9) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/29 01:06:22.0080 Fips (b485ac2edc466c538bdff32bc3f2e506) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/29 01:06:22.0330 Flpydisk (c621a51f415419a3145a5939abde39fa) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/29 01:06:22.0470 FltMgr (f978277ef786532195cdd9f88e908632) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/29 01:06:22.0611 Fs_Rec (aebff3d810b74971b91b2b77b289a98b) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/29 01:06:22.0892 Ftdisk (4c533b70afa917416aec57fcbeecb57d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/29 01:06:23.0017 Gernuwa (fd25177ced6751c14de170d8282ced90) C:\WINDOWS\system32\drivers\Gernuwa.sys
2010/12/29 01:06:23.0205 Gpc (30b1653a955f548352024a5fee203cc3) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/29 01:06:23.0361 HidUsb (90a325e14f9b95f17712707b1a7181b5) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/29 01:06:23.0502 hpcisss (8a445379d6e73731a6a37318dbb0c880) C:\WINDOWS\system32\DRIVERS\hpcisss.sys
2010/12/29 01:06:23.0627 hpn (cf54b5f4192fa5f669d13ee700fc9dce) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/29 01:06:23.0767 hpt3xx (d3704da43183412dfa0dc1f31051d447) C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
2010/12/29 01:06:23.0923 HTTP (3bd2fe8101ba82f09ef3a35655ae52db) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/29 01:06:24.0064 i2omgmt (f198c5ba41cd0f3983ddad09eaf77300) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/29 01:06:24.0814 i2omp (615395fc46eeea7e7e822d4be8006862) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/29 01:06:24.0939 i8042prt (68e8ff9eeaf8b37a66cac2c57835ffbd) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/29 01:06:25.0080 iirsp (aa9ab3b793401463bb938adef5fa8266) C:\WINDOWS\system32\DRIVERS\iirsp.sys
2010/12/29 01:06:25.0220 imapi (44c132b35921b54b4a9ac64369d86d83) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/29 01:06:25.0377 IntelIde (1690a4be249ba6195ba7258943cada58) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/29 01:06:25.0502 intelppm (7d7575b971b3a0fe26fac6f5d58f5180) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/29 01:06:25.0642 Ip6Fw (d7e7e7898a05c53dd862b49828747c1e) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/29 01:06:25.0783 IpFilterDriver (5a41f207b7c39ee4918f7496a4f19b14) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/29 01:06:26.0064 IpNat (890e7a14a63aec2ea9257a79a88be784) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/29 01:06:26.0189 IPSec (1a9aeac49683b32df55b7fb1516f3028) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/29 01:06:26.0330 ipsraidn (c8594550880b16a31c99ec42b106e14f) C:\WINDOWS\system32\DRIVERS\ipsraidn.sys
2010/12/29 01:06:26.0455 IRENUM (11407ee682a2d5b0248de8af0f1a6996) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/29 01:06:26.0595 isapnp (b71ba04a3b5d4404225ccdbf1969078f) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/29 01:06:26.0814 Kbdclass (e5097a07e14f36abc21fa18d88f93655) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/29 01:06:26.0955 KSecDD (9a99005e1a41ab360de231fb8e2f6184) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/29 01:06:27.0189 lp6nds35 (fdd8ba3317e07f2e5af608468821a093) C:\WINDOWS\system32\DRIVERS\lp6nds35.sys
2010/12/29 01:06:27.0377 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/12/29 01:06:27.0517 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/12/29 01:06:27.0642 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/12/29 01:06:27.0798 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/12/29 01:06:27.0923 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/12/29 01:06:28.0048 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
2010/12/29 01:06:28.0205 mnmdd (c35bb38904d843c0465858195b30dab7) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/29 01:06:28.0392 Modem (81ec1c6d3798b36a92a6d7a355ba2c62) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/29 01:06:28.0580 Mouclass (aa50da5ab638ce0bab5f7d5d633110c2) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/29 01:06:28.0720 MountMgr (fc43a7a34309c750b9daeadf2f6ec9b9) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/29 01:06:28.0908 mraid35x (4fa93ba7ae719fb6c0a2be09ac357863) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/29 01:06:29.0048 MRxDAV (ab6db63a1791f8e86b085291686464fd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/29 01:06:29.0205 MRxSmb (da38b4528a78a1adab76e28669f2a6e7) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/29 01:06:29.0361 Msfs (8f50b87361585763841c6b603d23260c) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/29 01:06:29.0548 mssmbios (92afab2f216ce8ffbad3bc510fcf4a33) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/29 01:06:29.0673 Mup (e0c7b0d27376d7341fc0a0797476adec) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/29 01:06:29.0877 NDIS (33739ab31d36184772af1ee132d5c2e2) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/29 01:06:30.0127 NdisTapi (bbab8ce7a8d2b1302da0b03825d9cae4) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/29 01:06:30.0267 Ndisuio (8b8e682b03483092e17ab9dfe70fedff) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/29 01:06:30.0408 NdisWan (1b397eef4614419be5679e0209f7848b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/29 01:06:30.0533 NDProxy (d3ced37468b3303ef0c8b24b0585390f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/29 01:06:30.0736 NetBIOS (a0d5d6ae530ca78a062fc0471f1e6f78) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/29 01:06:30.0877 NetBT (5cd7cca08498ec8753b22e92d367ca11) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/29 01:06:31.0064 nfrd960 (802ab2e85621288fe716a8c91df733fb) C:\WINDOWS\system32\DRIVERS\nfrd960.sys
2010/12/29 01:06:31.0205 nm (bda076e263a1c2bf190a3dddd504b3ea) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/12/29 01:06:31.0345 Npfs (d5bb605f6dcbdfe0129670c8de57913e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/29 01:06:31.0564 Ntfs (482ea51aadb8763a0f67588c394ec693) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/29 01:06:31.0783 Null (5db0ede7aaf3a7bc9110d18c12524be0) C:\WINDOWS\system32\drivers\Null.sys
2010/12/29 01:06:31.0986 nv_agp (238114d2b9da5a26cd4f6aa7c7687b29) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2010/12/29 01:06:32.0142 Parport (ee3333b36deb86a0d472f037172da10a) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/29 01:06:32.0283 PartMgr (4eb6f7418959444a06d3c51eb81bff04) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/29 01:06:32.0455 Parvdm (a9d29f3d7ae71b7ea721b53a0c436c66) C:\WINDOWS\system32\DRIVERS\parvdm.sys
2010/12/29 01:06:32.0595 PCI (8217000e5c53ce823b3111f339e47c41) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/29 01:06:32.0736 PCIIde (7e3fb50aa22d4ed883c6abdd40e9c60b) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/29 01:06:32.0877 Pcmcia (fc9f4c9c73e9698357c836be4628a299) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/29 01:06:33.0595 perc2 (3472492c0f61f4c5e5e79ee5617acf31) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/29 01:06:33.0736 perc2hib (f7a93284fd163f337c931863c95bdd23) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/29 01:06:33.0955 PptpMiniport (4454f2639bcca93be86a45137e427277) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/29 01:06:34.0111 Ptilink (0320fd91fb5ed4298355977cecfc0eb4) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/29 01:06:34.0236 ql1080 (8485bd4c7a781fd1754ff42b1dc36a9a) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/29 01:06:34.0377 Ql10wnt (fe6256e7714e96df9e8df44a9f3db791) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/29 01:06:34.0502 ql12160 (ca811eaeb772d19a8d37db71564368f9) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/29 01:06:34.0642 ql1240 (7e88fd1baa8b3e6510e83a62040582d6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/29 01:06:34.0798 ql1280 (d78e91dace023a05faaf5ee6ce7f289c) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/29 01:06:34.0939 ql2100 (e6bdb78d0f8108487709ead87ac848da) C:\WINDOWS\system32\DRIVERS\ql2100.sys
2010/12/29 01:06:35.0080 ql2200 (c6587711b694feb0521ae2639307cf59) C:\WINDOWS\system32\DRIVERS\ql2200.sys
2010/12/29 01:06:35.0220 ql2300 (5d60b4db95d1a85fe102217f815696a3) C:\WINDOWS\system32\DRIVERS\ql2300.sys
2010/12/29 01:06:35.0361 RasAcd (48ee7b6802c0306f9a66f34db7e9ef75) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/29 01:06:35.0502 Rasl2tp (3633175613e052ecb41776dee2777a89) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/29 01:06:35.0642 RasPppoe (59842f0a22216a71cade6f89fe84c973) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/29 01:06:35.0798 Raspti (5b11871de804d3ed28bbdcc65fe14ede) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/29 01:06:35.0939 Rdbss (4496b15c44ccb703fbc54f2cf5b67f15) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/29 01:06:36.0080 RDPCDD (ac5bb528ecd2bea4ff4bff9df9baf749) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/29 01:06:36.0220 rdpdr (ff678596b761e1ccba79f49981ef51bc) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/29 01:06:36.0361 RDPWD (477d7af3c3583eb85e23375225650b1c) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/29 01:06:36.0627 redbook (c6f8751f3263603935866e71629cfae4) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/29 01:06:36.0814 sacdrv (34d79729d6e4d1289e08322405045085) C:\WINDOWS\system32\drivers\sacdrv.sys
2010/12/29 01:06:37.0095 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/29 01:06:37.0252 serenum (b261d4597bf9a2723b7020207260c72a) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/29 01:06:37.0392 Serial (95768fde08dd34089aa90dccb5537704) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/29 01:06:37.0549 Sfloppy (831826dc54fa225f0b654ef2f1e13af9) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/29 01:06:37.0955 sisagp (e7a36be30c0bd75eeefc4099ca5429aa) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/29 01:06:38.0127 Srv (63331085641446f423738d87e495deb6) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/29 01:06:38.0267 swenum (93965919785102ba847545ab460ce2df) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/29 01:06:38.0424 symc810 (3d05bfdaef2d2d7eed998ba126fb3466) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/29 01:06:38.0549 symc8xx (57f992062e8ff2d37572ec5823f956e7) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/29 01:06:38.0595 SymEvent (7e3a39f208d93f7d443794db9aefbe44) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/29 01:06:38.0736 symmpi (432979129e0499b0df8d1bbaa5d72225) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2010/12/29 01:06:38.0877 sym_hi (1fbddf0dc4583922c904195823ebd795) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/29 01:06:39.0033 sym_u3 (ebd31469527afa05814b3d1a140c24e2) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/29 01:06:39.0861 Tcpip (238dc2b879d1b37b91f8d5d44f3815d3) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/29 01:06:39.0986 TDPIPE (45d49fb800463de84d1cc2e231319ad5) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/29 01:06:40.0236 TDTCP (d7c31008de209b8b11ced207580e9c91) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/29 01:06:40.0470 TermDD (a01e46fff445a38d35db188c5458582c) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/29 01:06:40.0642 TosIde (d5a95a19ca6e79633afde86fb8d039fd) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/29 01:06:40.0861 Udfs (c26024265a7523312a5d06fc33aa57aa) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/29 01:06:41.0111 uliagpkx (cba54e96b4f5ba978b325ae4cc58d392) C:\WINDOWS\system32\DRIVERS\uliagpkx.sys
2010/12/29 01:06:41.0236 ultra (b4bfee4ae295853065f1695a196d9790) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/29 01:06:41.0392 Update (b0e133858e63940755b496761834f334) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/29 01:06:41.0533 usbccgp (185959a7fccfd38aa71a274ae6252b88) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/29 01:06:41.0674 usbehci (9dd4aba9462938734bcbf51d8669c884) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/29 01:06:41.0814 usbhub (17859937740bc0d422fe71a588d6ddf7) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/29 01:06:41.0955 usbohci (910b3b46da0fb5520988f351d0719342) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/29 01:06:42.0095 USBSTOR (d0740ff9f7e819486e88096826b4dc37) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/29 01:06:42.0236 usbuhci (cbd3053337bb475f442a892edf671312) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/29 01:06:42.0377 VgaSave (062fbc10147fd837d819f94aa394e661) C:\WINDOWS\System32\drivers\vga.sys
2010/12/29 01:06:42.0517 viaagp (8f411df1fc53e2f8581f125b40674ee1) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/29 01:06:42.0642 ViaIde (19a9a290823d0fdf7316440922da175e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/29 01:06:42.0861 VolSnap (45ae67c387a640ec6e228f30d421f088) C:\WINDOWS\system32\DRIVERS\volsnap.sys
2010/12/29 01:06:43.0017 Wanarp (ce030b1d05a01fa012d32f2d25676b1c) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/29 01:06:43.0517 WLBS (d346e2f289f23e557ddfb9132d1dab35) C:\WINDOWS\system32\DRIVERS\wlbs.sys
2010/12/29 01:06:43.0720 ================================================================================
2010/12/29 01:06:43.0720 Scan finished
2010/12/29 01:06:43.0720 ================================================================================
2010/12/29 01:13:55.0629 Deinitialize success

ESET Online Scan log:

C:\Documents and Settings\gah\Application Data\Sun\Java\Deployment\cache\6.0\10\334136ca-6e5eb13c a variant of Java/Exploit.Agent.NAL trojan
C:\Documents and Settings\gah\Application Data\Sun\Java\Deployment\cache\6.0\58\551652ba-44b514a0 multiple threats
C:\Documents and Settings\gah\Application Data\Sun\Java\Deployment\cache\6.0\59\4900bfbb-2dbafe40 multiple threats
C:\Documents and Settings\mdh\Application Data\Qoicm\epagt.exe a variant of Win32/Kryptik.IPS trojan
C:\Documents and Settings\shh\Application Data\Etyg\iwla.exe a variant of Win32/Kryptik.IPS trojan

#4 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:02:29 PM

Posted 29 December 2010 - 09:50 PM

Meant to say that you should not run Combofix with our assistance it could shut you down and I don't think we need it. How is it running now?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ghacker

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:29 PM

Posted 06 January 2011 - 09:54 AM

:thumbsup: Sorry it took so long to respond - holidays and all that. Things still look good - neither McAfee support nor MBAM or any other tool is detecting a problem at this point. I guess I'll have to add that ESET online scan to the antimalware toolkit - it was the only thing that was detecting the trojan dropper. Here's the MBAM log:

Malwarebytes' Anti-Malware

Database version: 5468

Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

1/6/2011 2:28:34 AM
mbam-log-2011-01-06 (02-28-34).txt

Scan type: Quick scan
Objects scanned: 306433
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:02:29 PM

Posted 06 January 2011 - 09:15 PM

Ok, looks good here. Yes it's good to have a few tools handy as no one tool can get it all. Good luck.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users