Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP explorer virus opening IE Script error windows


  • This topic is locked This topic is locked
15 replies to this topic

#1 kurth

kurth

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 13 April 2011 - 05:27 PM

This started out manifesting itself like the Windows Restore malware. I disabled that before looking around for a 'fix', by removing the aberrant application, and unhiding all the files it had hidden. Ever since then, however, as sson as explorer starts up, i can see in a network trace that it starts going off to random sites, and doing god knows what. Eventually it devolves into opening IE script error dialogs, and pegging the CPU. Interestingly, IE isnt installed, SecureIE from WinFerno is, and the virus showed up while using firefox, which has also since been de-installed.

Hope you can help. Here is the DDS file, and the attach.zip and ark.txt files are attached.

Thanks!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by kurth at 15:04:18.90 on Wed 04/13/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.587 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\windows\system32\brsvc01a.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\brss01a.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\windows\ehome\ehSched.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\windows\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\system32\rundll32.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Winferno\WSS\WSS.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\PROGRA~1\Eraser\Eraser.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\Anti-Theft\McPvTray.exe
D:\Winferno\Secure IE\SIEPulse.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\system32\CTHELPER.EXE
C:\PROGRA~1\GFI\GFIBAC~1\GFIAgent.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\windows\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\kurth\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - d:\winferno\pc confidential\PCCBHO.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110407162818.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [GFI Backup 2009 - Home Edition] "c:\progra~1\gfi\gfibac~1\GFIAgent.exe"
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ToolboxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray] c:\program files\mcafee\anti-theft\McPvTray.exe
mRun: [SIE2007] "d:\winferno\secure ie\SIEPulse.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTHelper] CTHELPER.EXE
StartupFolder: c:\docume~1\kurth\startm~1\programs\startup\passwo~1.lnk - c:\program files\password safe\pwsafe.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezebox\SqueezeTray.exe
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - d:\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - d:\winferno\pc confidential\PCConfidential.exe
Trusted Zone: 3pardata.com\bugs
Trusted Zone: creative.com
Trusted Zone: dell.com\accessories.us
Trusted Zone: imagebam.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com\oncare
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com
Trusted Zone: sony.com\esupport
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/A/D/FADB11F1-A66C-43C0-AFCA-1106CF4BA374/wmsp9dmo.CAB
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://gis.cityofmadison.com/ACGM_7146/Acgm.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: {635C05CE-B111-48A8-9099-45C273F2706C} = 151.164.8.201,68.73.20.40
Handler: AutorunsDisabled\x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
LSA: Notification Packages = scecli scecli scecli
Hosts: 10.0.32.111 intranet intranet.3pardata.com
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2003-9-16 4736]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-4-7 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-4-7 54776]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2011-3-3 858480]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2011-3-3 2324848]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-4-12 142336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-7 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-7 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-7 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-7 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-4-7 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-4-7 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-7 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
R2 Winferno Subscription Service;Winferno Subscription Service;c:\program files\common files\winferno\wss\WSS.exe [2011-4-7 139264]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-7 55840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-7 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-7 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-4-7 88544]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 squeezesvc;Squeezebox Server; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-4-11 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\47.tmp --> c:\windows\system32\47.tmp [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-7 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-4-7 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-7 84264]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-4-1 11520]
S4 RoxWatch10;RoxWatch10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S4 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-8-5 93872]
S4 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-5-5 202928]
S4 SessionLauncher;SessionLauncher; [x]
.
=============== Created Last 30 ================
.
2011-04-13 18:28:54 -------- d-----w- c:\program files\Argente - Registry Cleaner
2011-04-13 17:37:30 -------- d-----w- c:\docume~1\kurth\locals~1\applic~1\WMTools Downloaded Files
2011-04-12 15:36:57 -------- d-----w- c:\docume~1\kurth\applic~1\Wireshark
2011-04-12 15:11:46 -------- d-----w- c:\program files\WinPcap
2011-04-12 14:58:26 -------- d-----w- c:\program files\NirSoft
2011-04-11 22:50:26 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-04-11 19:08:59 -------- d-----w- c:\program files\common files\Creative Labs Shared
2011-04-11 17:31:57 7062 ----a-w- c:\windows\system32\audiopid.vxd
2011-04-11 17:30:15 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-04-11 17:27:16 -------- d-----w- c:\program files\Creative
2011-04-11 17:09:59 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-04-11 17:09:21 -------- d-----w- C:\Intel
2011-04-11 16:34:41 -------- d-----w- c:\windows\system32\WinFast
2011-04-11 16:21:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Boost
2011-04-07 21:55:35 -------- d-----w- c:\docume~1\kurth\applic~1\Winferno
2011-04-07 21:51:22 -------- d-----w- c:\program files\common files\Winferno
2011-04-07 21:46:32 835584 ----a-w- c:\windows\system32\WINCTL4.ocx
2011-04-07 21:46:32 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL
2011-04-07 21:46:32 393216 ----a-w- c:\windows\system32\WINLCTL5.dll
2011-04-07 21:46:31 585728 ----a-w- c:\windows\system32\RDSHELL2004.BZT
2011-04-07 21:46:31 492768 ----a-w- c:\windows\system32\IGToolBars50.ocx
2011-04-07 21:46:30 381712 ----a-w- c:\windows\system32\mswless.ocx
2011-04-07 21:40:02 -------- d-----w- c:\docume~1\kurth\locals~1\applic~1\McAfee Anti-Theft
2011-04-07 21:34:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Anti-Theft
2011-04-07 21:33:05 -------- d-----w- c:\docume~1\kurth\applic~1\McAfee
2011-04-07 21:30:01 -------- d-----w- c:\program files\McAfeeMOBK
2011-04-07 21:29:39 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-04-07 21:29:28 -------- d-----w- c:\program files\McAfee Online Backup
2011-04-07 21:28:17 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-07 21:28:09 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-07 21:28:09 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-07 21:28:09 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-07 21:28:09 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-07 21:28:09 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-07 21:28:09 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-07 21:28:09 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-07 21:28:04 -------- d-----w- c:\program files\common files\Mcafee
2011-04-07 21:28:02 -------- d-----w- c:\program files\McAfee.com
2011-04-07 21:27:49 -------- d-----w- c:\program files\McAfee
2011-04-07 21:19:04 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-07 19:35:57 -------- d-sh--w- c:\documents and settings\kurth\IECompatCache
2011-04-07 19:29:14 -------- d-sh--w- c:\documents and settings\kurth\PrivacIE
2011-04-07 18:47:37 -------- d-sh--w- c:\documents and settings\kurth\IETldCache
2011-04-07 17:32:17 -------- d-----w- c:\program files\Winspector
2011-04-07 15:11:49 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-07 15:11:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-06 20:38:47 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-06 20:24:23 -------- d-----w- c:\docume~1\kurth\applic~1\Hewlett-Packard Company
2011-04-06 19:22:52 -------- d-----w- c:\docume~1\kurth\locals~1\applic~1\Eraser 6
2011-04-05 19:08:21 -------- d--h--w- c:\program files\Zero G Registry
2011-04-05 15:06:30 -------- d-----w- c:\documents and settings\kurth\InstallAnywhere
.
==================== Find3M ====================
.
2011-04-11 19:07:10 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-04-07 20:03:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-28 14:59:00 608 --sha-w- c:\windows\system32\winzvprt5.sys
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2005-07-14 19:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
============= FINISH: 15:05:21.93 ===============

Also forgot to mention that i also had the google redirect problem, but removing the bogus application seems to have fixed that piece.

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 14 April 2011 - 05:57 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 22 April 2011 - 07:06 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 April 2011 - 08:40 AM

Thanks M0le, Looking forward to working with you!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 25 April 2011 - 05:31 PM

Please start by downloading and running Combofix and see what it finds

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 April 2011 - 06:43 PM

Thanks.

While running, it indicated that it had detected a roootkit in VolSnap.sys, removed it, and rebooted. After running again for some time, it rebooted again, and produced the following report.


Here is the ComboFix.txt file:
ComboFix 11-04-25.01 - kurth 04/25/2011 18:21:02.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.674 [GMT -5:00]

Running from: c:\documents and settings\kurth\Desktop\comfix.exe.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Reba Heberlein\WINDOWS

c:\windows\system\Color

c:\windows\system32\_004048_.tmp.dll

c:\windows\system32\_004049_.tmp.dll

c:\windows\system32\_004050_.tmp.dll

c:\windows\system32\_004051_.tmp.dll

c:\windows\system32\_004058_.tmp.dll

c:\windows\system32\_004059_.tmp.dll

c:\windows\system32\_004060_.tmp.dll

c:\windows\system32\_004062_.tmp.dll

c:\windows\system32\_004063_.tmp.dll

c:\windows\system32\_004066_.tmp.dll

c:\windows\system32\_004067_.tmp.dll

c:\windows\system32\_004069_.tmp.dll

c:\windows\system32\_004070_.tmp.dll

c:\windows\system32\_004071_.tmp.dll

c:\windows\system32\_004073_.tmp.dll

c:\windows\system32\_004076_.tmp.dll

c:\windows\system32\_004077_.tmp.dll

c:\windows\system32\_004081_.tmp.dll

c:\windows\system32\_004082_.tmp.dll

c:\windows\system32\_004084_.tmp.dll

c:\windows\system32\_004087_.tmp.dll

c:\windows\system32\_004089_.tmp.dll

c:\windows\system32\_004090_.tmp.dll

c:\windows\system32\_004091_.tmp.dll

c:\windows\system32\_004092_.tmp.dll

c:\windows\system32\_004095_.tmp.dll

c:\windows\system32\_004096_.tmp.dll

c:\windows\system32\_004097_.tmp.dll

c:\windows\system32\_004098_.tmp.dll

c:\windows\system32\_004099_.tmp.dll

c:\windows\system32\_004104_.tmp.dll

c:\windows\system32\_004106_.tmp.dll

c:\windows\system32\_004107_.tmp.dll

c:\windows\system32\_006744_.tmp.dll

c:\windows\system32\_006745_.tmp.dll

c:\windows\system32\_006746_.tmp.dll

c:\windows\system32\_006747_.tmp.dll

c:\windows\system32\_006754_.tmp.dll

c:\windows\system32\_006755_.tmp.dll

c:\windows\system32\_006756_.tmp.dll

c:\windows\system32\_006757_.tmp.dll

c:\windows\system32\_006759_.tmp.dll

c:\windows\system32\_006760_.tmp.dll

c:\windows\system32\_006763_.tmp.dll

c:\windows\system32\_006764_.tmp.dll

c:\windows\system32\_006766_.tmp.dll

c:\windows\system32\_006767_.tmp.dll

c:\windows\system32\_006768_.tmp.dll

c:\windows\system32\_006770_.tmp.dll

c:\windows\system32\_006773_.tmp.dll

c:\windows\system32\_006774_.tmp.dll

c:\windows\system32\_006778_.tmp.dll

c:\windows\system32\_006779_.tmp.dll

c:\windows\system32\_006781_.tmp.dll

c:\windows\system32\_006784_.tmp.dll

c:\windows\system32\_006786_.tmp.dll

c:\windows\system32\_006787_.tmp.dll

c:\windows\system32\_006788_.tmp.dll

c:\windows\system32\_006789_.tmp.dll

c:\windows\system32\_006790_.tmp.dll

c:\windows\system32\_006793_.tmp.dll

c:\windows\system32\_006794_.tmp.dll

c:\windows\system32\_006795_.tmp.dll

c:\windows\system32\_006796_.tmp.dll

c:\windows\system32\_006797_.tmp.dll

c:\windows\system32\_006802_.tmp.dll

c:\windows\system32\_006804_.tmp.dll

c:\windows\system32\_006805_.tmp.dll

c:\windows\system32\regobj.dll

c:\windows\system32\SET166.tmp

c:\windows\system32\SET19A.tmp

c:\windows\system32\SET3CE.tmp

c:\windows\system32\SET4AE.tmp

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))

.

.

2011-04-25 23:03 . 2009-06-05 16:04 495689 ----a-w- c:\windows\system32\WINUTIL6.DLL

2011-04-25 23:03 . 2009-06-05 16:04 393216 ----a-w- c:\windows\system32\WINLCTL6.DLL

2011-04-25 23:03 . 2009-06-05 16:04 831560 ----a-w- c:\windows\system32\WINCTL5.OCX

2011-04-13 18:28 . 2011-04-13 18:54 -------- d-----w- c:\program files\Argente - Registry Cleaner

2011-04-13 17:37 . 2011-04-13 17:37 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\WMTools Downloaded Files

2011-04-12 15:36 . 2011-04-12 15:36 -------- d-----w- c:\documents and settings\kurth\Application Data\Wireshark

2011-04-12 15:11 . 2011-04-12 15:11 -------- d-----w- c:\program files\WinPcap

2011-04-12 14:58 . 2011-04-12 14:58 -------- d-----w- c:\program files\NirSoft

2011-04-11 22:50 . 2005-06-03 08:52 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2011-04-11 22:41 . 2011-04-11 22:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Eraser 6

2011-04-11 19:42 . 2011-04-11 19:44 -------- d-----w- c:\program files\Windows Live Safety Center

2011-04-11 19:08 . 2011-04-11 19:08 -------- d-----w- c:\program files\Common Files\Creative Labs Shared

2011-04-11 17:42 . 2011-04-11 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative

2011-04-11 17:31 . 2003-06-13 04:25 7062 ----a-w- c:\windows\system32\audiopid.vxd

2011-04-11 17:30 . 2011-04-11 19:07 445016 ----a-w- c:\windows\system32\wrap_oal.dll

2011-04-11 17:30 . 2011-04-11 17:30 -------- d-----w- c:\documents and settings\kurth\Application Data\Creative

2011-04-11 17:27 . 2011-04-11 19:08 -------- d-----w- c:\program files\Creative

2011-04-11 17:09 . 2010-12-23 16:09 53248 ----a-r- c:\windows\system32\CSVer.dll

2011-04-11 17:09 . 2011-04-11 17:09 -------- d-----w- C:\Intel

2011-04-11 16:34 . 2011-04-11 16:59 -------- d-----w- c:\windows\system32\WinFast

2011-04-11 16:21 . 2011-04-11 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost

2011-04-07 21:55 . 2011-04-15 19:36 -------- d-----w- c:\documents and settings\kurth\Application Data\Winferno

2011-04-07 21:51 . 2011-04-07 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Winferno

2011-04-07 21:51 . 2011-04-07 21:51 -------- d-----w- c:\program files\Common Files\Winferno

2011-04-07 21:46 . 2009-04-13 15:18 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL

2011-04-07 21:46 . 2006-05-30 03:55 835584 ----a-w- c:\windows\system32\WINCTL4.ocx

2011-04-07 21:46 . 2006-03-31 19:36 393216 ----a-w- c:\windows\system32\WINLCTL5.dll

2011-04-07 21:46 . 2004-07-27 14:46 585728 ----a-w- c:\windows\system32\RDSHELL2004.BZT

2011-04-07 21:46 . 2003-12-16 20:39 492768 ----a-w- c:\windows\system32\IGToolBars50.ocx

2011-04-07 21:46 . 2006-09-26 15:43 381712 ----a-w- c:\windows\system32\mswless.ocx

2011-04-07 21:40 . 2011-04-07 21:40 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\McAfee Anti-Theft

2011-04-07 21:34 . 2011-04-07 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Anti-Theft

2011-04-07 21:33 . 2011-04-07 21:33 -------- d-----w- c:\documents and settings\kurth\Application Data\McAfee

2011-04-07 21:29 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-04-07 21:29 . 2011-04-07 21:29 -------- d-----w- c:\program files\McAfee Online Backup

2011-04-07 21:28 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-07 21:28 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-07 21:28 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-07 21:28 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-07 21:28 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-07 21:28 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-07 21:28 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-07 21:28 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-04-07 21:28 . 2011-04-07 21:28 -------- d-----w- c:\program files\Common Files\Mcafee

2011-04-07 21:27 . 2011-04-09 18:37 -------- d-----w- c:\program files\McAfee

2011-04-07 21:19 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe

2011-04-07 20:16 . 2011-04-07 20:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-07 19:35 . 2011-04-07 19:35 -------- d-sh--w- c:\documents and settings\kurth\IECompatCache

2011-04-07 19:29 . 2011-04-07 19:29 -------- d-sh--w- c:\documents and settings\kurth\PrivacIE

2011-04-07 18:47 . 2011-04-07 18:47 -------- d-sh--w- c:\documents and settings\kurth\IETldCache

2011-04-07 17:32 . 2011-04-13 17:23 -------- d-----w- c:\program files\Winspector

2011-04-07 15:11 . 2011-04-13 16:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-04-07 15:11 . 2011-04-07 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-04-06 20:38 . 2011-04-06 20:39 102400 ----a-w- c:\windows\RegBootClean.exe

2011-04-06 20:24 . 2011-04-06 20:24 -------- d-----w- c:\documents and settings\kurth\Application Data\Hewlett-Packard Company

2011-04-06 19:22 . 2011-04-06 19:22 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\Eraser 6

2011-04-05 19:08 . 2011-04-05 19:08 -------- d--h--w- c:\program files\Zero G Registry

2011-04-05 15:06 . 2011-04-05 15:06 -------- d-----w- c:\documents and settings\kurth\InstallAnywhere

2011-03-29 04:54 . 2011-03-29 04:54 -------- d-----w- c:\program files\7-Zip

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-11 19:07 . 2003-09-16 17:30 109144 ----a-w- c:\windows\system32\OpenAL32.dll

2011-04-07 20:03 . 2010-08-18 19:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33 . 2004-03-02 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2003-09-16 17:29 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2009-04-01 18:16 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2009-09-25 05:37 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51 . 2006-06-23 17:33 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2003-09-16 17:29 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:18 . 2009-04-01 18:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2009-04-01 18:16 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2004-08-04 05:59 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-04-15 02:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2003-09-16 17:29 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2003-11-12 08:54 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-11-12 08:54 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2003-09-16 17:29 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2003-09-16 17:29 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2003-09-16 17:37 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2003-09-16 17:37 677888 ----a-w- c:\windows\system32\mstsc.exe

2005-07-14 19:31 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GFI Backup 2009 - Home Edition"="c:\progra~1\GFI\GFIBAC~1\GFIAgent.exe" [2010-07-30 2195824]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]

"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-04-16 58936]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]

"McPvTray"="c:\program files\McAfee\Anti-Theft\McPvTray.exe" [2009-11-17 670312]

"SIE2007"="d:\winferno\Secure IE\SIEPulse.exe" [2007-06-12 71320]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]

.

c:\documents and settings\kurth\Start Menu\Programs\Startup\

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2010-12-8 3501056]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Squeezebox Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2010-12-30 2351191]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\click to dvd\\ctodvd-e.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)

"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp

"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp

"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)

"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)

"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)

"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)

"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)

"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)

"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)

"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)

"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)

"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)

"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)

"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)

"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)

"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)

"5720:TCP"= 5720:TCP:Jumi Controller

"5720:UDP"= 5720:UDP:Jumi Controller

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/17/2009 11:15 AM 63080]

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/16/2003 12:30 PM 4736]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/7/2011 4:28 PM 84072]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/7/2011 4:28 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/7/2011 4:19 PM 141792]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/7/2011 4:28 PM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/7/2011 4:28 PM 88544]

S1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [4/7/2011 4:29 PM 54776]

S2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [3/3/2011 5:35 PM 858480]

S2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [3/3/2011 5:35 PM 2324848]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [4/12/2010 10:13 AM 142336]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]

S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 3:53 PM 362992]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 3:52 PM 309744]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S2 squeezesvc;Squeezebox Server; [x]

S2 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [4/7/2011 4:51 PM 139264]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/7/2011 4:28 PM 55840]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/11/2011 2:08 PM 79360]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 10:23 PM 39048]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\47.tmp --> c:\windows\system32\47.tmp [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/7/2011 4:28 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/7/2011 4:28 PM 84264]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 3:53 PM 72176]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 3:52 PM 1083888]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [4/1/2009 1:16 PM 11520]

S4 RoxWatch10;RoxWatch10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 3:52 PM 166384]

S4 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 4:58 PM 93872]

S4 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [5/5/2009 11:07 AM 202928]

S4 SessionLauncher;SessionLauncher; [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-13 c:\windows\Tasks\At1.job

- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-04-13 17:10]

.

2011-04-13 c:\windows\Tasks\At2.job

- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-04-13 17:10]

.

2011-04-13 c:\windows\Tasks\At3.job

- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-04-13 17:10]

.

2011-04-15 c:\windows\Tasks\At4.job

- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-04-13 17:10]

.

2011-04-25 c:\windows\Tasks\PCConfidential.job

- d:\winferno\PC Confidential\PCConfidential.exe [2011-04-07 15:59]

.

2011-04-25 c:\windows\Tasks\WSSHelper.job

- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2011-04-07 22:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s

Trusted Zone: 3pardata.com\bugs

Trusted Zone: creative.com

Trusted Zone: dell.com\accessories.us

Trusted Zone: imagebam.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: live.com\oncare

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com

Trusted Zone: sony.com\esupport

TCP: {635C05CE-B111-48A8-9099-45C273F2706C} = 151.164.8.201,68.73.20.40

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

.

- - - - ORPHANS REMOVED - - - -

.

Notify-WgaLogon - (no file)

SafeBoot-SBAMSvc

AddRemove-Creative Driver - c:\windows\System32\ctdrvins

AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-25 18:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\47.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(316)

c:\program files\McAfee Online Backup\MOBKshell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2011-04-25 18:36:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-25 23:36

.

Pre-Run: 62,419,697,664 bytes free

Post-Run: 62,890,631,168 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\windows

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\windows="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 2DE0876B8A762306BB7A3707E1729DA4

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 25 April 2011 - 06:54 PM

Now we need to rerun Combofix, as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

AtJob::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 April 2011 - 07:27 PM

will do - it is running right now, but thought i should ask... When i dropped the CFScript.txt onto comfix.exe, i got a message that there was a newer version of COmboFix, did I want to upload. I clicked 'Yes', and it downloaded it and restarted. Is that ok, or did it ignore the CFScript.txt commands on the restart as a result?

#8 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 25 April 2011 - 07:33 PM

comfix.exe finished, after rebooting the machine again. The CFSCript.txt file is gone. Let me know if my allowing it to update means i have to rerun this step. Here is the ComboFix.txt file:
ComboFix 11-04-25.02 - kurth 04/25/2011 19:11:19.2.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.772 [GMT -5:00]

Running from: c:\documents and settings\kurth\Desktop\comfix.exe.exe

Command switches used :: c:\documents and settings\kurth\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\Tasks\At1.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

.

.

((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))

.

.

2011-04-25 23:03 . 2009-06-05 16:04 495689 ----a-w- c:\windows\system32\WINUTIL6.DLL

2011-04-25 23:03 . 2009-06-05 16:04 393216 ----a-w- c:\windows\system32\WINLCTL6.DLL

2011-04-25 23:03 . 2009-06-05 16:04 831560 ----a-w- c:\windows\system32\WINCTL5.OCX

2011-04-13 18:28 . 2011-04-13 18:54 -------- d-----w- c:\program files\Argente - Registry Cleaner

2011-04-13 17:37 . 2011-04-13 17:37 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\WMTools Downloaded Files

2011-04-12 15:36 . 2011-04-12 15:36 -------- d-----w- c:\documents and settings\kurth\Application Data\Wireshark

2011-04-12 15:11 . 2011-04-12 15:11 -------- d-----w- c:\program files\WinPcap

2011-04-12 14:58 . 2011-04-12 14:58 -------- d-----w- c:\program files\NirSoft

2011-04-11 22:50 . 2005-06-03 08:52 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2011-04-11 22:41 . 2011-04-11 22:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Eraser 6

2011-04-11 19:42 . 2011-04-11 19:44 -------- d-----w- c:\program files\Windows Live Safety Center

2011-04-11 19:08 . 2011-04-11 19:08 -------- d-----w- c:\program files\Common Files\Creative Labs Shared

2011-04-11 17:42 . 2011-04-11 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative

2011-04-11 17:31 . 2003-06-13 04:25 7062 ----a-w- c:\windows\system32\audiopid.vxd

2011-04-11 17:30 . 2011-04-11 19:07 445016 ----a-w- c:\windows\system32\wrap_oal.dll

2011-04-11 17:30 . 2011-04-11 17:30 -------- d-----w- c:\documents and settings\kurth\Application Data\Creative

2011-04-11 17:27 . 2011-04-11 19:08 -------- d-----w- c:\program files\Creative

2011-04-11 17:09 . 2010-12-23 16:09 53248 ----a-r- c:\windows\system32\CSVer.dll

2011-04-11 17:09 . 2011-04-11 17:09 -------- d-----w- C:\Intel

2011-04-11 16:34 . 2011-04-11 16:59 -------- d-----w- c:\windows\system32\WinFast

2011-04-11 16:21 . 2011-04-11 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost

2011-04-07 21:55 . 2011-04-15 19:36 -------- d-----w- c:\documents and settings\kurth\Application Data\Winferno

2011-04-07 21:51 . 2011-04-07 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Winferno

2011-04-07 21:51 . 2011-04-07 21:51 -------- d-----w- c:\program files\Common Files\Winferno

2011-04-07 21:46 . 2009-04-13 15:18 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL

2011-04-07 21:46 . 2006-05-30 03:55 835584 ----a-w- c:\windows\system32\WINCTL4.ocx

2011-04-07 21:46 . 2006-03-31 19:36 393216 ----a-w- c:\windows\system32\WINLCTL5.dll

2011-04-07 21:46 . 2004-07-27 14:46 585728 ----a-w- c:\windows\system32\RDSHELL2004.BZT

2011-04-07 21:46 . 2003-12-16 20:39 492768 ----a-w- c:\windows\system32\IGToolBars50.ocx

2011-04-07 21:46 . 2006-09-26 15:43 381712 ----a-w- c:\windows\system32\mswless.ocx

2011-04-07 21:40 . 2011-04-07 21:40 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\McAfee Anti-Theft

2011-04-07 21:34 . 2011-04-07 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Anti-Theft

2011-04-07 21:33 . 2011-04-07 21:33 -------- d-----w- c:\documents and settings\kurth\Application Data\McAfee

2011-04-07 21:29 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-04-07 21:29 . 2011-04-07 21:29 -------- d-----w- c:\program files\McAfee Online Backup

2011-04-07 21:28 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-07 21:28 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-07 21:28 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-07 21:28 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-07 21:28 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-07 21:28 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-07 21:28 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-07 21:28 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-04-07 21:28 . 2011-04-07 21:28 -------- d-----w- c:\program files\Common Files\Mcafee

2011-04-07 21:27 . 2011-04-09 18:37 -------- d-----w- c:\program files\McAfee

2011-04-07 21:19 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe

2011-04-07 20:16 . 2011-04-07 20:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-07 19:35 . 2011-04-07 19:35 -------- d-sh--w- c:\documents and settings\kurth\IECompatCache

2011-04-07 19:29 . 2011-04-07 19:29 -------- d-sh--w- c:\documents and settings\kurth\PrivacIE

2011-04-07 18:47 . 2011-04-07 18:47 -------- d-sh--w- c:\documents and settings\kurth\IETldCache

2011-04-07 17:32 . 2011-04-13 17:23 -------- d-----w- c:\program files\Winspector

2011-04-07 15:11 . 2011-04-13 16:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-04-07 15:11 . 2011-04-07 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-04-06 20:38 . 2011-04-06 20:39 102400 ----a-w- c:\windows\RegBootClean.exe

2011-04-06 20:24 . 2011-04-06 20:24 -------- d-----w- c:\documents and settings\kurth\Application Data\Hewlett-Packard Company

2011-04-06 19:22 . 2011-04-06 19:22 -------- d-----w- c:\documents and settings\kurth\Local Settings\Application Data\Eraser 6

2011-04-05 19:08 . 2011-04-05 19:08 -------- d--h--w- c:\program files\Zero G Registry

2011-04-05 15:06 . 2011-04-05 15:06 -------- d-----w- c:\documents and settings\kurth\InstallAnywhere

2011-03-29 04:54 . 2011-03-29 04:54 -------- d-----w- c:\program files\7-Zip

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-11 19:07 . 2003-09-16 17:30 109144 ----a-w- c:\windows\system32\OpenAL32.dll

2011-04-07 20:03 . 2010-08-18 19:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33 . 2004-03-02 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2003-09-16 17:29 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2009-04-01 18:16 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2009-09-25 05:37 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51 . 2006-06-23 17:33 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2003-09-16 17:29 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:18 . 2009-04-01 18:16 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2009-04-01 18:16 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2004-08-04 05:59 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-04-15 02:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2003-09-16 17:29 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2003-11-12 08:54 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-11-12 08:54 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2003-09-16 17:29 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2003-09-16 17:29 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2003-09-16 17:37 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2003-09-16 17:37 677888 ----a-w- c:\windows\system32\mstsc.exe

2005-07-14 19:31 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GFI Backup 2009 - Home Edition"="c:\progra~1\GFI\GFIBAC~1\GFIAgent.exe" [2010-07-30 2195824]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]

"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-04-16 58936]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]

"McPvTray"="c:\program files\McAfee\Anti-Theft\McPvTray.exe" [2009-11-17 670312]

"SIE2007"="d:\winferno\Secure IE\SIEPulse.exe" [2007-06-12 71320]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]

.

c:\documents and settings\kurth\Start Menu\Programs\Startup\

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2010-12-8 3501056]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Squeezebox Server Tray Tool.lnk - c:\program files\Squeezebox\SqueezeTray.exe [2010-12-30 2351191]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\click to dvd\\ctodvd-e.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)

"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp

"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp

"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)

"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)

"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)

"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)

"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)

"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)

"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)

"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)

"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)

"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)

"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)

"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)

"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)

"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)

"5720:TCP"= 5720:TCP:Jumi Controller

"5720:UDP"= 5720:UDP:Jumi Controller

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/17/2009 11:15 AM 63080]

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/16/2003 12:30 PM 4736]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/7/2011 4:28 PM 84072]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/7/2011 4:28 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/7/2011 4:19 PM 141792]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/7/2011 4:28 PM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/7/2011 4:28 PM 88544]

S1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [4/7/2011 4:29 PM 54776]

S2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [3/3/2011 5:35 PM 858480]

S2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [3/3/2011 5:35 PM 2324848]

S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [4/12/2010 10:13 AM 142336]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/7/2011 4:28 PM 271480]

S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]

S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 3:53 PM 362992]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 3:52 PM 309744]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S2 squeezesvc;Squeezebox Server; [x]

S2 Winferno Subscription Service;Winferno Subscription Service;c:\program files\Common Files\Winferno\WSS\WSS.exe [4/7/2011 4:51 PM 139264]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/7/2011 4:28 PM 55840]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/11/2011 2:08 PM 79360]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 10:23 PM 39048]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\47.tmp --> c:\windows\system32\47.tmp [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/7/2011 4:28 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/7/2011 4:28 PM 84264]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 3:53 PM 72176]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 3:52 PM 1083888]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [4/1/2009 1:16 PM 11520]

S4 RoxWatch10;RoxWatch10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 3:52 PM 166384]

S4 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/5/2009 4:58 PM 93872]

S4 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [5/5/2009 11:07 AM 202928]

S4 SessionLauncher;SessionLauncher; [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-25 c:\windows\Tasks\PCConfidential.job

- d:\winferno\PC Confidential\PCConfidential.exe [2011-04-07 15:59]

.

2011-04-25 c:\windows\Tasks\WSSHelper.job

- c:\program files\Common Files\Winferno\WSS\WSSHelper.exe [2011-04-07 22:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s

Trusted Zone: 3pardata.com\bugs

Trusted Zone: creative.com

Trusted Zone: dell.com\accessories.us

Trusted Zone: imagebam.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: live.com\oncare

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com

Trusted Zone: sony.com\esupport

TCP: {635C05CE-B111-48A8-9099-45C273F2706C} = 151.164.8.201,68.73.20.40

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-25 19:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\47.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(508)

c:\program files\McAfee Online Backup\MOBKshell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2011-04-25 19:28:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-26 00:28

ComboFix2.txt 2011-04-25 23:36

.

Pre-Run: 62,912,397,312 bytes free

Post-Run: 62,878,547,968 bytes free

.

- - End Of File - - C202F27DC85D19DF1563D4AE1CDFD1CC

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 26 April 2011 - 04:44 PM

Nope, that's worked fine, kurth :)

Please next run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#10 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 27 April 2011 - 08:30 AM

Hi M0le,
That ran fine, but did find a rootkei indication in the restore point. As an aside, since the first run of ComboFix, i have not seen the script error windows again, although i haven't been using the machine very much during this process. I'll keep a closer eye on it today. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6454

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/27/2011 8:21:08 AM
mbam-log-2011-04-27 (08-21-08).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 301648
Time elapsed: 50 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{1227e41c-9b8d-4405-99ce-e3332de7ea59}\RP17\A0006047.sys (Rootkit.Patch) -> Quarantined and deleted successfully.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 27 April 2011 - 06:57 PM

Don't worry too much about the system restore folder, that would only be a problem if you tried to restore the system and it would reinfect you. We won't be doing that!

Now scan with ESET's online system

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#12 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 28 April 2011 - 07:45 AM

Hey M0le,
Here is the scan result from ESET:
C:\Documents and Settings\All Users\Documents\TEMP\registrybooster.exe Win32/RegistryBooster application deleted - quarantined
C:\Documents and Settings\All Users\Documents\TEMP\unlocker1.9.0.exe Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005250.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005251.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005252.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005253.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005254.rbf Win32/RegistryBooster application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1227E41C-9B8D-4405-99CE-E3332DE7EA59}\RP14\A0005255.rbf Win32/RegistryBooster application cleaned by deleting - quarantined

I think those were probably red herrings. They are both applications I installed when i first noticed the infection to help me get rid of the redirect.

Still no return of the IE script windows.

Thanks

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 28 April 2011 - 06:21 PM

Yes, ESET (like most security companies) like to remove registry cleaners if they are found. Here's why...

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
The good news is that we are at the end of the fix. Please follow these last steps to complete...

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it kurth, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 kurth

kurth
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 28 April 2011 - 11:33 PM

m0le,
Thanks so much, You guys all rock! Can't thank you enough!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:39 PM

Posted 29 April 2011 - 04:21 AM

You are welcome, kurth. :)
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users