Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Completely puzzled...


  • Please log in to reply
13 replies to this topic

#1 Incapable

Incapable

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 06 January 2011 - 07:20 PM

I've been working in the IT field going on 6 years now, and I'm completely confused by what has happened to my home network. I'm turning to the great minds on BleepingComputers for help!

So, here's what I've done as of this last week:

Reformatted a single laptop and a single desktop. I used DBAN for the wipe (DoS standard wipe). I installed Windows XP Professional SP2 on the laptop and used a OEM Dell Windows XP SP3 disk on the Desktop. I used an external hard drive from the office to install the LAN drivers for both. I also installed MSE and Firefox on both prior to booting the internet explorer(both were on the external as well). On the laptop, I used network a network installation of SP3 for XP, and it went through just fine. I've been running Combofix and GMER every 1-2 hours to check for an updated infection.

Here's where they get different:

I've noticed the last few times I've reinstalled Windows and got this rootkit again, it's been after I installed updates via the "Windows Update" (%SystemRoot%\system32\wupdmgr.exe is the path it's directed at). I've installed the updates on my desktop to verify that it's the root of the issue, and it is. The desktop (as of my last scan) has the unlabeled rootkit again. The reason I say it's unlabeled is because, normally at the office when I'm running Combofix it gives me some indication of what/where the rootkit is located, this time it doesn't.

Is this something new or am I just now experiencing this? I've never dealt with anything of this caliber and if you guys can help me get this resolved, I can use my new knowledge to help in the same predicament.

Thanks a ton in advance!
~Incapable

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 06 January 2011 - 07:55 PM

Hello Incapable ,

Posted Image

Could I please see the ComboFix report? :) Also, please have a run with this, and then I'll be able to tell you more. :)

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea

** Could a Mod please move this thread to malware removal? :wub:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 06 January 2011 - 11:35 PM

Moving topic to log forum. ~ OB

Hi Tea! I'm from Texas as well. :) Such a great state we live in! Now, onto business.

Combofix report:

ComboFix 11-01-06.03 - Cameron 01/06/2011 22:27:45.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1788 [GMT -6:00]
Running from: c:\documents and settings\Cameron\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-06 00:26 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 05:05 . 2010-11-05 05:05 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot_2011-01-06_23.37.19 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S0 cerc6;cerc6; [x]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Cameron\Application Data\Mozilla\Firefox\Profiles\575sm913.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 22:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-06 22:30:16
ComboFix-quarantined-files.txt 2011-01-07 04:30
ComboFix2.txt 2011-01-07 04:22
ComboFix3.txt 2011-01-07 04:19
ComboFix4.txt 2011-01-06 23:55
ComboFix5.txt 2011-01-07 04:24

Pre-Run: 495,059,943,424 bytes free
Post-Run: 495,058,206,720 bytes free

- - End Of File - - 62F5887D2B3D1764F83FB5133E1365BC



TDDSKiller:

2011/01/06 22:31:57.0718 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/06 22:31:57.0718 ================================================================================
2011/01/06 22:31:57.0718 SystemInfo:
2011/01/06 22:31:57.0718
2011/01/06 22:31:57.0718 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/06 22:31:57.0718 Product type: Workstation
2011/01/06 22:31:57.0718 ComputerName: DESKTOP-1
2011/01/06 22:31:57.0718 UserName: Cameron
2011/01/06 22:31:57.0718 Windows directory: C:\WINDOWS
2011/01/06 22:31:57.0718 System windows directory: C:\WINDOWS
2011/01/06 22:31:57.0718 Processor architecture: Intel x86
2011/01/06 22:31:57.0718 Number of processors: 2
2011/01/06 22:31:57.0718 Page size: 0x1000
2011/01/06 22:31:57.0718 Boot type: Normal boot
2011/01/06 22:31:57.0718 ================================================================================
2011/01/06 22:31:57.0921 Initialize success
2011/01/06 22:31:59.0733 ================================================================================
2011/01/06 22:31:59.0733 Scan started
2011/01/06 22:31:59.0733 Mode: Manual;
2011/01/06 22:31:59.0733 ================================================================================
2011/01/06 22:32:00.0452 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/06 22:32:00.0499 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/06 22:32:00.0577 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/06 22:32:00.0905 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/06 22:32:00.0983 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/06 22:32:01.0062 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/06 22:32:01.0124 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/06 22:32:01.0187 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/06 22:32:01.0358 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/06 22:32:01.0421 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/06 22:32:01.0483 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/06 22:32:01.0530 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/06 22:32:01.0858 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/06 22:32:01.0905 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/06 22:32:01.0937 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/06 22:32:01.0983 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/06 22:32:02.0155 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/01/06 22:32:02.0249 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/06 22:32:02.0280 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/06 22:32:02.0327 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/06 22:32:02.0343 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/06 22:32:02.0405 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/01/06 22:32:02.0452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/06 22:32:02.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/06 22:32:02.0530 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/06 22:32:02.0624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/06 22:32:02.0702 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/06 22:32:02.0921 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/06 22:32:03.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/01/06 22:32:03.0358 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/06 22:32:03.0499 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/06 22:32:03.0530 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/01/06 22:32:03.0577 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/06 22:32:03.0593 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/06 22:32:03.0640 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/06 22:32:03.0687 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/06 22:32:03.0733 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/06 22:32:03.0812 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/06 22:32:03.0843 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/06 22:32:03.0890 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/06 22:32:03.0937 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/06 22:32:04.0077 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/06 22:32:04.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/06 22:32:04.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/06 22:32:04.0202 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/06 22:32:04.0233 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/06 22:32:04.0280 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/06 22:32:04.0358 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/06 22:32:04.0405 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/06 22:32:04.0468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/06 22:32:04.0515 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/06 22:32:04.0546 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/06 22:32:04.0577 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/06 22:32:04.0608 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/06 22:32:04.0624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/06 22:32:04.0671 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/06 22:32:04.0718 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/06 22:32:04.0749 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/06 22:32:04.0812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/06 22:32:04.0874 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/06 22:32:04.0937 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/06 22:32:04.0999 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/06 22:32:05.0030 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/06 22:32:05.0108 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/06 22:32:05.0202 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/06 22:32:05.0265 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/06 22:32:05.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/06 22:32:05.0374 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/06 22:32:05.0468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/06 22:32:05.0796 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/06 22:32:05.0827 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/06 22:32:05.0858 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/06 22:32:06.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/06 22:32:06.0108 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/06 22:32:06.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/06 22:32:06.0171 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/06 22:32:06.0233 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/06 22:32:06.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/06 22:32:06.0327 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/06 22:32:06.0390 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/06 22:32:06.0452 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/06 22:32:06.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/06 22:32:06.0640 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/06 22:32:06.0671 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/06 22:32:06.0827 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/06 22:32:06.0890 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/06 22:32:06.0952 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/06 22:32:07.0202 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/06 22:32:07.0249 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/06 22:32:07.0280 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/06 22:32:07.0327 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/06 22:32:07.0452 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/06 22:32:07.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/06 22:32:07.0640 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/06 22:32:07.0671 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/06 22:32:07.0718 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/06 22:32:07.0749 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/06 22:32:07.0796 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/06 22:32:07.0858 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/06 22:32:07.0921 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/06 22:32:08.0218 ================================================================================
2011/01/06 22:32:08.0218 Scan finished
2011/01/06 22:32:08.0218 ================================================================================
2011/01/06 22:32:11.0827 Deinitialize success



I'd like to also point out about the Combofix scans. As you know, when it warns you about the rootkit, it tells you it needs to restart and such. Mine will warn of it, and never shut the machine down, I have to hold the button in for it to go off.


Thanks again,
~Incapable

Edited by Orange Blossom, 09 January 2011 - 09:30 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 07 January 2011 - 10:27 AM

Hello there,

Planet Texas.....no other place like it anywhere. :thumbup2:

I'd like one more scan, please. These aren't doing/showing anything, so if this one doesn't either......how do you feel about digging really deep outside of the Windows environment? You up to it? :)

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 07 January 2011 - 07:41 PM

Heya Tea!

I'm more than willing to experiment outside of Windows. Here's my Malwarebytes' scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2011 6:36:59 PM
mbam-log-2011-01-07 (18-36-59).txt

Scan type: Quick scan
Objects scanned: 120948
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



On a side note, I ran the Window Updates on a fresh install of Windows in the shop and it ended up with the same rootkit. You think it's an exploit in a Windows update?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 08 January 2011 - 12:19 AM

I should have asked long before now, and I apologize. Could I please see a gmer report? I'd like to see what you're seeing before doing anything more intricate. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 08 January 2011 - 12:36 AM

I've started the scan with GMER again. I noticed that the one that I had originally ran didn't seem like it was complete. I'm new to using GMER so I don't know if it's completed or not but here it is:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-06 21:28:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500630AS rev.3.ADG
Running: 0rdhtgwm.exe; Driver: C:\DOCUME~1\Cameron\LOCALS~1\Temp\fxdirpoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----


I'll have the new one posted as soon as it gets done.

Thank you again,
~Incapable

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 08 January 2011 - 12:48 AM

Hi there,

Hmmm.....what is it telling you you have a rookit then?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 08 January 2011 - 03:30 PM

It pops up after I've done Windows Updates via the website. I wouldn't think it was a fake positive, considering my machine/net runs much slower after wards. Perhaps it's something new? Something undetectable? I'm not really sure anymore. The only thing I've been able to learn about it is, it's a networked rootkit and it comes after Windows Updates have been installed.

Let me know if there's any other scans I can do/test in order to remedy this.

~Incapable

*EDIT*

So, I ran Combofix after leaving this machine hooked up to the internet for roughly 15 hours of nonuser interaction and this is my updated Combofix log:

ComboFix 11-01-08.01 - Cameron 01/08/2011 14:37:52.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1656 [GMT -6:00]
Running from: c:\documents and settings\Cameron\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-06 00:26 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 05:05 . 2010-11-05 05:05 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.

((((((((((((((((((((((((((((( SnapShot_2011-01-06_23.37.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
- 2008-04-14 12:00 . 2011-01-06 23:18 40196 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2011-01-08 04:25 40196 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\httpapi.dll
+ 2011-01-08 00:33 . 2010-12-21 00:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2011-01-08 00:33 . 2010-12-21 00:08 20952 c:\windows\system32\drivers\mbam.sys
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2008-04-14 12:00 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2011-01-06 22:22 . 2010-08-26 12:52 5120 c:\windows\system32\xpsp4res.dll
- 2011-01-06 22:22 . 2010-08-13 12:53 5120 c:\windows\system32\xpsp4res.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 04:48 . 2005-09-23 04:48 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2008-04-14 12:00 . 2009-03-08 10:33 420352 c:\windows\system32\vbscript.dll
- 2008-04-14 12:00 . 2011-01-06 23:18 311934 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2011-01-08 04:25 311934 c:\windows\system32\perfh009.dat
+ 2011-01-08 00:32 . 2009-08-07 01:23 215920 c:\windows\system32\muweb.dll
+ 2011-01-08 00:32 . 2009-08-07 01:23 274288 c:\windows\system32\mucltui.dll
+ 2011-01-07 06:44 . 2010-10-19 20:51 222080 c:\windows\system32\MpSigStub.exe
- 2008-04-14 12:00 . 2009-03-08 10:33 726528 c:\windows\system32\jscript.dll
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2011-01-04 23:14 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
+ 2008-04-14 12:00 . 2010-08-26 13:39 357248 c:\windows\system32\drivers\srv.sys
+ 2008-04-14 12:00 . 2009-10-20 16:20 265728 c:\windows\system32\drivers\http.sys
+ 2008-04-14 12:00 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-04-14 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2008-04-14 12:00 . 2009-03-08 10:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-04-14 12:00 . 2010-08-26 13:39 357248 c:\windows\system32\dllcache\srv.sys
- 2008-04-14 12:00 . 2009-03-08 10:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-04-14 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2011-01-04 23:14 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2011-01-07 06:43 . 2011-01-07 06:43 786432 c:\windows\Installer\7c8466.msi
+ 2011-01-07 06:43 . 2011-01-07 06:43 479744 c:\windows\Installer\7c8460.msi
+ 2011-01-07 06:43 . 2011-01-07 06:43 301056 c:\windows\Installer\7c845b.msi

+ 2011-01-08 04:18 . 2009-03-08 10:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2011-01-08 04:18 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2011-01-08 04:18 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2011-01-08 04:18 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2011-01-08 04:18 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2011-01-08 04:18 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2011-01-08 04:18 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2011-01-08 04:18 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2011-01-08 04:18 . 2009-03-08 10:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder

2011-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Cameron\Application Data\Mozilla\Firefox\Profiles\575sm913.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-08 14:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-08 14:40:37
ComboFix-quarantined-files.txt 2011-01-08 20:40
ComboFix2.txt 2011-01-07 04:30
ComboFix3.txt 2011-01-07 04:22
ComboFix4.txt 2011-01-07 04:19
ComboFix5.txt 2011-01-08 20:33

Pre-Run: 494,557,306,880 bytes free
Post-Run: 494,563,139,584 bytes free

- - End Of File - - 0774A92ED235C39DAD45897BB82F4EB9


It's much more different than the original, two days ago. I haven't installed anything, used this machine for anymore than updating logs on here, or even browsed the web. I highlighted some files in an off red due to their entirety. Perhaps this is something new since all other scanners have missed it, or is it something that's normally there?

Edited by Incapable, 08 January 2011 - 04:01 PM.


#10 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 08 January 2011 - 06:52 PM

Update: I'm on the phone with Microsoft about this. He has me running Windows Live OneCare safety scanner and VIPER rescue. I'll keep this thread updated with what's going on.

*EDIT*
Nothing worked. I feel like just formatting to Vista and seeing if it's happening there as well.

Edited by Incapable, 08 January 2011 - 08:34 PM.


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 09 January 2011 - 07:29 AM

Hi there,

If you're going to reformat please let me know so I don't waste my time with anything further.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 09 January 2011 - 11:49 AM

Well, I'm going to format it back to XP and install each update individually. When I talked to Microsoft technicians last night, they informed me that nothing like this is out atleast not that they know of. So, bare with me and I'll keep you posted on what I find out.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:52 PM

Posted 09 January 2011 - 05:36 PM

Thanks for letting me know. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Incapable

Incapable
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 10 January 2011 - 02:29 AM

I ran the laptop with the infection on the network for a few seconds and realized this computer was still on the network, so I turned off the laptop quickly and did a scan on this computer. This is what my Combofix showed up:

ComboFix 11-01-08.05 - user 01/10/2011 1:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1453 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\swt-win32-3349.dll
c:\documents and settings\user\Local Settings\Temp\swt-win32-3349.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))
.

2011-01-09 22:04 . 2011-01-09 22:04 -------- d-----w- C:\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot_2011-01-10_06.25.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-10 03:23 . 2008-04-14 12:00 23552 c:\windows\LastGood.Tmp\system32\wdmaud.drv
+ 2011-01-10 03:23 . 2008-04-14 12:00 49408 c:\windows\LastGood.Tmp\system32\drivers\stream.sys
+ 2011-01-10 03:23 . 2008-04-14 12:00 141056 c:\windows\LastGood.Tmp\system32\drivers\ks.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
"SkyTel"="SkyTel.EXE" [2007-11-21 1826816]
"SoundMan"="SOUNDMAN.EXE" [2008-08-19 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58565:TCP"= 58565:TCP:Pando Media Booster
"58565:UDP"= 58565:UDP:Pando Media Booster

S0 cerc6;cerc6; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PARPORT
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\df9pjfjz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-10 01:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-01-10 01:18:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-10 07:18
ComboFix2.txt 2011-01-10 06:26
ComboFix3.txt 2011-01-09 21:58

Pre-Run: 495,163,412,480 bytes free
Post-Run: 495,163,961,344 bytes free

- - End Of File - - 3C0C4110A6FD1E9FA843901A37FFF22D


Very interesting deletion. Must follow up on this detection tomorrow. For now, another reformat. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users