Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Virus


  • This topic is locked This topic is locked
45 replies to this topic

#1 BetterServer

BetterServer

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 16 April 2011 - 05:14 PM

Hi, I had recently purchased and built a new barebone computer from Tiger Direct, installed Windows XP Pro and transferred my old files. Within a week it was getting slow so I ran some different AV and Spyware programs and they couldn't find anything wrong. I then tried ComboFix and it said I had a rootkit virus and it would need to reboot. I let it do it's thing and even though it found it, it wasn't able to remove it (in safe mode it doesn't even see it).

After a week of trying different ideas I decided to restart from scratch and not copy my old files, so I did a complete (raw ntfs) format and reinstalled Windows XP Pro and decided to test it with ComboFix, well needless to say it is still there and I'm getting frustrated. Could it possibly be in the main board drivers DVD?

It's getting slower by the minute, Please help!
Note: Someone told me that it could be in my CMOS, so I reset that as well and no luck. I am attaching the last log from the last scan.

Thanx in advance!

Eric
I will check back every 30 minutes to an hour.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 16 April 2011 - 05:29 PM

First I would like you to know that this isn't a bump and second I want to apologize for not reading the rules before running the ComboFix program. Setting that aside I won't do anything else without hearing from you first and I will gladly donate for your time.

THanx again,

Eric

#3 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 16 April 2011 - 10:56 PM

Sorry for the delay (person challenges), also one thing I didn't mention above was I also used Stopzilla earlier (before contacting you)and I think this did more damage. I have removed it but I am running even slower since.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Andre at 23:19:37.31 on Sat 04/16/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3439.2907 [GMT -4:00]
.
AV: McAfeeŽ Security-as-a-Service Anti-virus *Disabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\csasvc.exe
C:\WINDOWS\csifcsvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andre.BURTONCPA\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\csconn~1.lnk - f:\wincsi\tools\ConnectBGDL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2011-3-26 19496]
R2 CSAPrintService;Creative Solutions Accounting Print Service;c:\windows\csasvc.exe [2011-3-26 118784]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-26 47640]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-3-26 41088]
S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;"c:\program files\mcafee\siteadvisor enterprise\mcsacore.exe" --> c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [?]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe" /servicestart --> c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S2 RumorServer;McAfee Peer Distribution Service;"c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe" /rundll=rumorserver.dll;servicehost --> c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-3-26 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2011-3-26 17488]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Smart TimeLock;Smart TimeLock Service;c:\program files\gigabyte\smart6\timelock\TimeMgmtDaemon.exe [2011-3-26 114688]
S4 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-3-26 2655768]
.
=============== Created Last 30 ================
.
2011-04-16 20:06:28 89088 ----a-w- c:\windows\MBR.exe
2011-04-16 20:06:28 256512 ----a-w- c:\windows\PEV.exe
2011-04-16 20:06:28 161792 ----a-w- c:\windows\SWREG.exe
2011-04-16 19:55:57 -------- d-----w- c:\windows\system32\appmgmt
2011-04-16 17:03:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-04-15 18:56:05 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-04-15 18:56:05 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-15 17:38:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-15 15:37:05 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-04-15 15:37:05 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-04-07 13:40:15 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Ilivid Player
2011-04-07 01:29:32 98816 ----a-w- c:\windows\sed.exe
2011-04-04 02:37:01 -------- d-----w- c:\docume~1\andre~1.bur\applic~1\Windows Search
2011-04-03 16:07:13 -------- d-----w- c:\docume~1\andre~1.bur\applic~1\searchquband
2011-04-03 16:05:46 -------- d-----w- c:\program files\ilivid
2011-04-03 16:05:42 -------- d-----w- c:\docume~1\andre~1.bur\applic~1\searchqutoolbar
2011-04-03 16:05:30 -------- d-----w- c:\program files\Windows ilivid Toolbar
2011-04-03 16:05:23 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\PackageAware
2011-04-01 01:16:43 -------- d-sha-r- C:\cmdcons
2011-03-30 14:52:17 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Identities
2011-03-30 14:52:13 -------- d-----w- c:\docume~1\andre~1.bur\applic~1\Windows Desktop Search
2011-03-30 14:51:21 -------- d-----w- c:\windows\system32\GroupPolicy
2011-03-30 14:51:21 -------- d-----w- c:\program files\Windows Desktop Search
2011-03-27 21:05:30 -------- d--h--w- c:\windows\PIF
2011-03-27 20:54:35 -------- d-----w- C:\ALPHA4
2011-03-27 16:03:24 -------- d-----w- c:\windows\APW_DATA
2011-03-27 00:19:54 -------- d-----w- C:\Backup & Restore Files
2011-03-27 00:06:11 -------- d-----w- C:\WINCSI.NET
2011-03-26 23:56:11 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Temp
2011-03-26 22:23:35 18368 ----a-w- c:\windows\system\SHWIND20.DLL
2011-03-26 21:58:43 430080 ----a-r- c:\windows\system32\HP2030SM.EXE
2011-03-26 21:58:42 81920 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\zimfprnt.dll
2011-03-26 21:58:42 65536 ----a-w- c:\windows\system32\zjbig.dll
2011-03-26 21:58:42 155648 ----a-w- c:\windows\system32\hpsfs.dll
2011-03-26 21:58:42 114688 ----a-w- c:\windows\system32\HPMCoSetup.dll
2011-03-26 21:58:41 143360 ----a-w- c:\windows\system32\HP2030LM.DLL
2011-03-26 21:54:30 -------- d-----w- c:\program files\HP
2011-03-26 21:48:57 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-03-26 21:48:57 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-03-26 21:37:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alpha Software
2011-03-26 21:37:55 -------- d-----w- c:\docume~1\andre~1.bur\applic~1\Alpha Software
2011-03-26 21:37:34 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2011-03-26 21:36:22 -------- d-----w- c:\program files\a5V10
2011-03-26 21:26:45 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Adobe
2011-03-26 21:04:10 306688 ----a-w- c:\windows\IsUninst.exe
2011-03-26 21:03:34 118784 ----a-w- c:\windows\csasvc.exe
2011-03-26 21:03:30 115712 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\csantprt.dll
2011-03-26 21:03:30 11264 ----a-w- c:\windows\espurge.exe
2011-03-26 21:03:04 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-03-26 21:03:02 29696 ----a-w- c:\windows\system32\xmlinst.exe
2011-03-26 21:03:02 295696 ----a-w- c:\program files\common files\system\ole db\MSJTOR35.DLL
2011-03-26 21:03:02 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-03-26 21:03:01 1234704 ----a-w- c:\windows\system32\MSJT4JLT.DLL
2011-03-26 21:02:27 499712 ----a-w- c:\windows\system32\Msvcp71.dll
2011-03-26 21:02:27 348160 ----a-w- c:\windows\system32\Msvcr71.dll
2011-03-26 21:02:27 1060864 ----a-w- c:\windows\system32\Mfc71.dll
2011-03-26 21:02:25 415504 ----a-w- c:\windows\system32\msrepl35.dll
2011-03-26 21:02:25 368912 ----a-w- c:\windows\system32\vbar332.dll
2011-03-26 21:02:25 24848 ----a-w- c:\windows\system32\msjter35.dll
2011-03-26 21:02:25 123664 ----a-w- c:\windows\system32\msjint35.dll
2011-03-26 21:02:24 252176 ----a-w- c:\windows\system32\msrd2x35.dll
2011-03-26 21:02:24 1050896 ----a-w- c:\windows\system32\msjet35.dll
2011-03-26 21:02:23 570128 ----a-w- c:\program files\common files\microsoft shared\dao\dao350.dll
2011-03-26 21:02:21 -------- d-----w- c:\program files\common files\Creative Solutions
2011-03-26 21:01:53 136192 ----a-w- c:\windows\csifcsvc.exe
2011-03-26 21:01:51 12800 ----a-w- c:\windows\fcpurge.exe
2011-03-26 21:01:50 116736 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\csintprt.dll
2011-03-26 20:45:52 339968 ------w- c:\windows\Setup1.exe
2011-03-26 20:45:49 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-03-26 20:43:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-26 20:43:30 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-26 20:43:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-03-26 20:34:50 -------- d-----w- C:\Outlook
2011-03-26 20:34:21 68 ----a-w- C:\asbper.bat
2011-03-26 20:34:21 51308 ----a-w- C:\PKZIP.EXE
2011-03-26 20:34:21 352 ----a-w- C:\ASBPERRE.BAT
2011-03-26 20:34:21 34335 ----a-w- C:\PKUNZIP.EXE
2011-03-26 20:34:21 331 ----a-w- C:\ASBPERBE.BAT
2011-03-26 20:34:21 281 ----a-w- C:\ASBCLIRE.BAT
2011-03-26 20:34:21 128 ----a-w- C:\asbdbase.bat
2011-03-26 20:33:47 -------- d-----w- C:\Outlook Archives
2011-03-26 20:33:08 -------- d---a-w- C:\TC
2011-03-26 20:32:56 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-03-26 20:31:29 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-03-26 20:31:23 -------- d-----w- c:\windows\SHELLNEW
2011-03-26 20:31:06 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Microsoft Help
2011-03-26 20:28:41 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\LogMeIn
2011-03-26 20:28:38 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-03-26 20:28:38 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-03-26 20:28:37 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-03-26 20:28:37 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-03-26 20:28:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-03-26 20:28:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2011-03-26 20:28:05 -------- d-----w- c:\program files\LogMeIn
2011-03-26 20:25:51 -------- d-----w- c:\docume~1\andre~1.bur\locals~1\applic~1\Deployment
2011-03-26 20:24:27 -------- d-sh--w- c:\documents and settings\andre.burtoncpa\IECompatCache
2011-03-26 20:24:10 -------- d-sh--w- c:\documents and settings\andre.burtoncpa\PrivacIE
2011-03-26 20:01:43 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-03-26 20:01:41 -------- d-sh--w- c:\documents and settings\andre.burtoncpa\IETldCache
.
==================== Find3M ====================
.
2011-04-04 03:36:38 17488 ----a-w- c:\windows\gdrv.sys
2011-03-26 22:26:36 696 ----a-w- c:\windows\WPSH20.REG
2011-03-26 22:26:36 1482 ----a-w- c:\windows\prcfg30.reg
2011-03-26 22:26:36 1272 ----a-w- c:\windows\ENVOY.REG
2011-03-26 22:26:35 650 ----a-w- c:\windows\QPW.REG
2011-03-26 22:26:35 4404 ----a-w- c:\windows\prwin30.reg
2011-03-26 22:26:34 7394 ----a-w- c:\windows\wpwin61.reg
2011-03-26 22:26:34 60 ----a-w- c:\windows\wpdraw30.reg
2011-03-26 22:26:34 2375 ----a-w- c:\windows\wpcfg61.reg
2011-03-26 20:45:59 32768 ----a-w- c:\windows\system32\CPASIN32.DLL
2011-03-26 18:15:36 17488 ----a-w- c:\windows\etdrv.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 15:18:20 145936 ----a-w- c:\windows\system32\mfevtps.exe
.
============= FINISH: 23:19:44.65 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 26 April 2011 - 06:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 26 April 2011 - 07:11 PM

Hi m0le,

I'm here and I'm Ready, willing and able.

Thanx!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 26 April 2011 - 07:25 PM

Did Combofix explain which rootkit it had found? The Combofix and Gmer logs show nothing.

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 26 April 2011 - 07:34 PM

No threats were found...

2011/04/26 20:32:12.0656 2584 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/26 20:32:13.0078 2584 ================================================================================
2011/04/26 20:32:13.0078 2584 SystemInfo:
2011/04/26 20:32:13.0078 2584
2011/04/26 20:32:13.0078 2584 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/26 20:32:13.0078 2584 Product type: Workstation
2011/04/26 20:32:13.0078 2584 ComputerName: BURTON-XP
2011/04/26 20:32:13.0078 2584 UserName: Andre
2011/04/26 20:32:13.0078 2584 Windows directory: C:\WINDOWS
2011/04/26 20:32:13.0078 2584 System windows directory: C:\WINDOWS
2011/04/26 20:32:13.0078 2584 Processor architecture: Intel x86
2011/04/26 20:32:13.0078 2584 Number of processors: 4
2011/04/26 20:32:13.0078 2584 Page size: 0x1000
2011/04/26 20:32:13.0078 2584 Boot type: Normal boot
2011/04/26 20:32:13.0078 2584 ================================================================================
2011/04/26 20:32:13.0218 2584 Initialize success
2011/04/26 20:32:19.0921 3620 ================================================================================
2011/04/26 20:32:19.0921 3620 Scan started
2011/04/26 20:32:19.0921 3620 Mode: Manual;
2011/04/26 20:32:19.0921 3620 ================================================================================
2011/04/26 20:32:20.0515 3620 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/26 20:32:20.0546 3620 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/26 20:32:20.0593 3620 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/26 20:32:20.0640 3620 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/04/26 20:32:20.0734 3620 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/04/26 20:32:20.0765 3620 AppleCharger (75a8b998eb259dd512f01ea25bec7f3b) C:\WINDOWS\system32\DRIVERS\AppleCharger.sys
2011/04/26 20:32:20.0812 3620 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/26 20:32:20.0828 3620 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/26 20:32:20.0843 3620 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/26 20:32:20.0890 3620 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/26 20:32:21.0000 3620 BeatTrojanHelperOne (9171f7cf89beaf73a430cfa97554cd13) C:\Documents and Settings\Andre.BURTONCPA\Desktop\MosoForceDelete\ForceDelete\BeatTrojanHelperOne.sys
2011/04/26 20:32:21.0046 3620 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/26 20:32:21.0140 3620 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/26 20:32:21.0171 3620 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/26 20:32:21.0187 3620 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/26 20:32:21.0187 3620 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/26 20:32:21.0250 3620 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/26 20:32:21.0281 3620 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/26 20:32:21.0312 3620 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/26 20:32:21.0328 3620 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/26 20:32:21.0343 3620 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/26 20:32:21.0359 3620 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/26 20:32:21.0390 3620 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\WINDOWS\etdrv.sys
2011/04/26 20:32:21.0421 3620 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/26 20:32:21.0437 3620 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/26 20:32:21.0437 3620 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/26 20:32:21.0453 3620 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/26 20:32:21.0468 3620 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/26 20:32:21.0484 3620 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/26 20:32:21.0484 3620 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/26 20:32:21.0515 3620 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
2011/04/26 20:32:21.0515 3620 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/26 20:32:21.0546 3620 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/26 20:32:21.0562 3620 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/26 20:32:21.0625 3620 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/26 20:32:21.0671 3620 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/26 20:32:21.0765 3620 ialm (9715ccce3b45fef831e7d4655f7f2cb9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/04/26 20:32:21.0781 3620 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/26 20:32:21.0890 3620 IntcAzAudAddService (5707cec38db61b96079e6a14b4702446) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/26 20:32:21.0953 3620 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/26 20:32:21.0968 3620 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/26 20:32:22.0000 3620 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/26 20:32:22.0000 3620 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/26 20:32:22.0015 3620 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/26 20:32:22.0015 3620 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/26 20:32:22.0031 3620 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/26 20:32:22.0046 3620 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/26 20:32:22.0046 3620 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/26 20:32:22.0062 3620 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/26 20:32:22.0093 3620 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/26 20:32:22.0125 3620 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/26 20:32:22.0156 3620 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/04/26 20:32:22.0187 3620 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/04/26 20:32:22.0203 3620 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/04/26 20:32:22.0234 3620 MEI (cfcb18986426a2d8e66f1992636221d0) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/04/26 20:32:22.0250 3620 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/26 20:32:22.0265 3620 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/26 20:32:22.0312 3620 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/04/26 20:32:22.0328 3620 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/26 20:32:22.0343 3620 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/26 20:32:22.0359 3620 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/26 20:32:22.0375 3620 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/26 20:32:22.0421 3620 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/26 20:32:22.0437 3620 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/26 20:32:22.0468 3620 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/26 20:32:22.0468 3620 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/26 20:32:22.0484 3620 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/26 20:32:22.0500 3620 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/26 20:32:22.0515 3620 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/26 20:32:22.0531 3620 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/26 20:32:22.0546 3620 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/26 20:32:22.0578 3620 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/26 20:32:22.0593 3620 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/26 20:32:22.0609 3620 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/26 20:32:22.0625 3620 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/26 20:32:22.0640 3620 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/26 20:32:22.0718 3620 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/04/26 20:32:22.0734 3620 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/26 20:32:22.0750 3620 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/26 20:32:22.0765 3620 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/26 20:32:22.0796 3620 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/26 20:32:22.0796 3620 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/26 20:32:22.0828 3620 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/26 20:32:22.0828 3620 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/26 20:32:22.0875 3620 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/26 20:32:22.0875 3620 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/26 20:32:22.0890 3620 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/26 20:32:22.0921 3620 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/26 20:32:22.0968 3620 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/26 20:32:22.0984 3620 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/26 20:32:22.0984 3620 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/26 20:32:23.0015 3620 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/26 20:32:23.0031 3620 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/26 20:32:23.0031 3620 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/26 20:32:23.0046 3620 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/26 20:32:23.0046 3620 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/26 20:32:23.0062 3620 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/26 20:32:23.0078 3620 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/26 20:32:23.0109 3620 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/26 20:32:23.0156 3620 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/26 20:32:23.0171 3620 RTLE8023xp (c6d34a1874cd2b212dc3e788091c64b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/04/26 20:32:23.0203 3620 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/26 20:32:23.0203 3620 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/26 20:32:23.0218 3620 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/26 20:32:23.0234 3620 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/26 20:32:23.0296 3620 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/26 20:32:23.0312 3620 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/26 20:32:23.0359 3620 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/26 20:32:23.0375 3620 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/26 20:32:23.0375 3620 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/26 20:32:23.0421 3620 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/26 20:32:23.0453 3620 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/26 20:32:23.0468 3620 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/26 20:32:23.0484 3620 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/26 20:32:23.0484 3620 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/26 20:32:23.0531 3620 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/26 20:32:23.0578 3620 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/26 20:32:23.0609 3620 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/26 20:32:23.0625 3620 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/26 20:32:23.0625 3620 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/26 20:32:23.0640 3620 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/26 20:32:23.0703 3620 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/26 20:32:23.0703 3620 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/26 20:32:23.0718 3620 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/26 20:32:23.0734 3620 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/26 20:32:23.0750 3620 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/26 20:32:23.0843 3620 ================================================================================
2011/04/26 20:32:23.0843 3620 Scan finished
2011/04/26 20:32:23.0843 3620 ================================================================================

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 26 April 2011 - 07:35 PM

Okay, please find the Combofix quarantine log

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 26 April 2011 - 07:44 PM

I found a quarantine folder at C:\Qoobox\Quarantine but not a quarantined-files.txt file.

#10 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 26 April 2011 - 07:48 PM

My bad, I found it.

2011-04-16 21:06:12 . 2011-04-16 21:06:12 159 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-SUPERAntiSpyware.reg.dat
2011-04-16 20:41:11 . 2011-04-16 20:41:11 484 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-TPSvc.reg.dat
2011-04-16 20:40:43 . 2011-04-16 20:40:43 167 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-MVS Splash.reg.dat
2011-04-16 17:15:42 . 2011-04-16 19:09:12 26,112 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\STOPzilla!\Quarantine\044240b77972b156cddab103aae0e21f.vir
2011-04-08 12:35:40 . 2011-04-08 12:35:40 618 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-FileCabinet CS Print Driver.reg.dat
2011-04-07 15:14:11 . 2011-03-01 19:17:24 788,360 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS_Addin\cs_20110407_111411\cab_addin.dll.vir
2011-04-07 15:13:14 . 2008-05-14 14:22:08 2,056,192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\freeimg.dll.vir
2011-04-07 15:13:14 . 2011-03-01 19:16:12 2,302,856 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\fcabwatch.exe.vir
2011-04-07 15:13:14 . 2010-12-08 14:09:56 884,736 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\fc_condll.dll.vir
2011-04-07 15:13:14 . 2004-11-21 18:51:48 172,032 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\dzip32.dll.vir
2011-04-07 15:13:14 . 2004-11-19 20:17:28 143,360 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\dunzip32.dll.vir
2011-04-07 15:13:14 . 2003-05-21 13:45:14 155,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\dtype32x.dll.vir
2011-04-07 15:13:14 . 2003-05-21 13:45:14 167,936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\dtype32.dll.vir
2011-04-07 15:13:13 . 2011-03-01 19:18:20 3,680,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\cscabsv.dll.vir
2011-04-07 15:13:13 . 2011-03-01 18:42:44 634,368 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\cabiosql.dll.vir
2011-04-07 15:13:13 . 2011-03-01 18:42:38 36,864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Andre.BURTONCPA\Local Settings\temp\FileCabinet_CS\cs_20110407_111313\cabioifc.dll.vir
2011-04-07 02:42:54 . 2011-04-07 02:42:54 78 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-10.reg.dat
2011-04-01 13:00:24 . 2011-04-01 13:00:24 1,070 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-MVS.reg.dat
2011-04-01 12:59:22 . 2010-01-11 01:54:52 170 ----a-w- C:\Qoobox\Quarantine\G\Autorun.inf.vir
2011-04-01 12:58:04 . 2011-04-24 05:14:53 5,670 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-01 01:14:51 . 2011-04-24 05:12:21 1,785 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-03-26 22:26:15 . 2011-03-26 22:26:53 765 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\WINHELP.INI.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 27 April 2011 - 06:38 PM

Please run MBAM next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#12 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 27 April 2011 - 07:22 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6460

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/27/2011 8:01:38 PM
mbam-log-2011-04-27 (20-01-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 208579
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 27 April 2011 - 07:25 PM

Well, that's a nice log. :)

Please run the ESET scanner next

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#14 BetterServer

BetterServer
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Florida
  • Local time:05:49 AM

Posted 27 April 2011 - 07:27 PM

Hey m0le, I have to say again rhis is all very strange. In the beginning there were infections and most everything was removed, but now everything is claiming there are no infections, the system barely has anything on it and the scans go rather fast too, however the computer itself which is an extremely fast computer is still running slow and the rootkit files are still there. I haven't run combofix since you have been helping me but I garauntee if I do it will say that there is a rootkit and it needs to reboot.

Have you seen this before?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:49 AM

Posted 27 April 2011 - 07:33 PM

Yes, I have. I need to make sure that there is no other malware on the machine before we rerun Combofix. After ESET please rerun Combofix and let's see what it does.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users