Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer Scan Error


  • This topic is locked This topic is locked
24 replies to this topic

#1 solarfog

solarfog

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 09 June 2011 - 10:28 PM

While trying to perform the prep work for asking help I keep getting quick blue screen errors and restarts. Only once have I seen the blue screen error and it lasted long enough to read it (unplugged power to restart) but I did not copy the information down nor do I remember it. The blue screen error appeared at least once during the scanning of a folder called quarantine (5 hours in) and at least once during what appeared to be a temporary internet file for flash websites (half an hour in).

I'm currently having problems with Google search links redirecting, no sound for flash and the audio from various commericals that i cannot see and does not appear that I have openned. (Only mentioning these as it might help with solving the problem of this topic)

Here is the DDS:

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Freeter Otaku at 10:38:15 on 2011-06-09
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\PC Toolbox\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?o=0&l=dir
uInternet Connection Wizard,ShellNext = hxxp://peregrine.fsc.edu/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [POINTER] point32.exe
mRun: [NGClient] c:\program files\symantec\ghost\ngctw32.exe
mRun: [TaskMon] c:\windows\system32\taskmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/1410e38890b84fa06020/netzip/RdxIE601.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://www.office.microsoft.com/productupdates/content/opuc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287095499203
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX28.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.67.0.cab
DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - hxxp://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37762.4222800926
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/plugins/activex/YoYo.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 207.217.126.81 207.217.77.82
TCP: Interfaces\{5DBEAF5B-DAF4-4748-9C53-49951606E773} : DhcpNameServer = 207.217.126.81 207.217.77.82
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
.
============= SERVICES / DRIVERS ===============
.
R? GhPostConfig;GhostPostConfig - Boot Phase Driver
R? GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver
R? MBAMSwissArmy;MBAMSwissArmy
R? OracleOraHome81ClientCache;OracleOraHome81ClientCache
S? ActionAgent;ActionAgent
S? AE1000;Linksys AE1000 Driver
S? DLT;DLT
S? McShield;McAfee McShield
S? McTaskManager;McAfee Task Manager
S? mfeavfk;McAfee Inc.
S? mfebopk;McAfee Inc.
S? mfehidk;McAfee Inc.
S? NGClient;Symantec Ghost Client Agent
.
=============== Created Last 30 ================
.
2011-05-31 18:54:33 -------- d-----w- c:\program files\GMATPrep
2011-05-29 23:59:45 -------- d-----w- C:\LemmingballZ
2011-05-25 23:50:16 -------- d-----w- c:\program files\Bonjour
2011-05-22 04:00:33 -------- d-----w- c:\program files\ESET
2011-05-20 04:12:13 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-05-20 04:11:56 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-20 04:11:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-20 04:11:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 10:42:17.31 ===============

attach.txt is attached. Attached File  attach.txt   2.2KB   1 downloads

Edited by solarfog, 09 June 2011 - 10:29 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 10 June 2011 - 02:19 PM

Hi

Please run the following:

Scan With RootKitUnHooker

  • Please Download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 June 2011 - 08:34 AM

LOL. Love that this program asks "Hmm, are you sure? :)" when you go to close it! Anyway, here's the report (should I just post this along with dds results and attach.txt?):

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2188928 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2188928 bytes
0x804D7000 RAW 2188928 bytes
0x804D7000 WMIxWDM 2188928 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBFA43000 C:\WINDOWS\System32\ati3d1ag.dll 872448 bytes (ATI Technologies Inc. , ati3d1ag.dll)
0xECC53000 C:\WINDOWS\system32\DRIVERS\AE1000XP.sys 815104 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
0xF8048000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 815104 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF8623000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF7F4B000 C:\WINDOWS\system32\drivers\smwdm.sys 479232 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xECD1A000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6FAA000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xECE4D000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBA5E2000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xB9C83000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xECF10000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 237568 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xBFA0B000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF9D5000 C:\WINDOWS\System32\ati2dvag.dll 221184 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xECECB000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF7008000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8767000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xBA774000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF85F6000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB94FC000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xECDB2000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBA452000 C:\WINDOWS\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xECDFF000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF8711000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xECE27000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF7F27000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF8010000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7FD9000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xBA06F000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xECDDD000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF86D9000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8737000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF85DC000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7FC0000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 102400 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF86F9000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xECC3B000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF86B0000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7F10000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9E02000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7FFC000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF8034000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xECEA6000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C3000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF86C7000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8756000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7EFF000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF76E1000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8996000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB9E57000 C:\WINDOWS\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF8976000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8986000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 61440 bytes (Roxio, CDR4_XP CDR Helper)
0xF89C6000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB99B8000 C:\WINDOWS\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
0xF89A6000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9ED7000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8946000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF87F6000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8966000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF89D6000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF87D6000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7761000 C:\WINDOWS\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF8A06000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8806000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7721000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF89B6000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF87C6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF89E6000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF87B6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8926000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF88F6000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB9804000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF87E6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8956000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF8A26000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7751000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7711000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8B36000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8AD6000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF8ADE000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA8B9000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF8A36000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8AF6000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF8AFE000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF8AE6000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8B26000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))
0xF8AEE000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8A96000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF8ACE000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF8B2E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8B1E000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF8B0E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF8A3E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8AC6000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8B16000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF8B06000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8B4E000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF811B000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF812B000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8113000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF8C62000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8BC6000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A7C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8C5E000 C:\WINDOWS\System32\DRIVERS\IPFilter.sys 12288 bytes (Microsoft Corporation, Microsoft IntelliPoint)
0xF8C66000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8117000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8D1E000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF8CE8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8CBC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8D04000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8CE6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8CBA000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8CB6000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8CEA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8CE2000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8CEC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8CD8000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8CDA000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8CB8000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8E07000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8E14000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8E88000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8D7E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF8E06000 C:\WINDOWS\system32\drivers\SENSUPGD.SYS 4096 bytes (Sensaura Ltd, Sensaura Upgrade)
==============================================
>Stealth
==============================================
0x8330AA91 Unknown page with executable code, 1391 bytes
0x83309288 Unknown page with executable code, 3448 bytes
0x8330B191 Unknown page with executable code, 3695 bytes
0xF87D6000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8330DE7A Unknown thread object [ ETHREAD 0x832AF020 ] TID: 124, 600 bytes
0x83310008 Unknown thread object [ ETHREAD 0x832CA790 ] TID: 128, 600 bytes
0x8330FCDC Unknown page with executable code, 804 bytes

Edited by solarfog, 12 June 2011 - 08:45 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 12 June 2011 - 08:47 AM

Hi

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 June 2011 - 06:33 PM

Downloaded and extracted TDSSKiller but when I tried to Run it nothing happened. I also tried running it with anti-virus off. Should I move on to ComboFix?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 12 June 2011 - 08:53 PM

Yes, please do,

if combofix gives you the same problem, delete it and download a fresh copy and rename it to iexplore and give it a .com extension (try a .com extension with tdsskiller too - give it a random name )

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 14 June 2011 - 01:31 PM

Ran ComboFix got a blue screen error followed by a quick restart. Then I tried running it again as soon as Windows was back up and it started to scan but when I came back after walking away maybe for 20 minutes the computer had restarted again. Was going to try a rename as well as using the defogger program but just realize I was supposed to stop if I ran into any problems.

Renamed TDSSKiller to iexplore.exe then iexplore.com and nothing happened. iexplore.exe promted the 'application failed to initialize properly (0xc0000005)' application error dialogue box.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 14 June 2011 - 06:07 PM

OK

Yes, please download a fresh copy of combofix and rename it to combo.com now boot into safe mode and run it, make certain all other programs are closed

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 17 June 2011 - 03:06 PM

Sorry for the long time to respond but I've been distracted by family stuff. Got combo.com to run but need to run Safe Mode with network when I get home from work (this post is to just let you know I'm still working on it and hopefully won't cause this thread to be cancelled). Part of the delay has also been due to disk checks I believe they are called after I didn't press F8 enough and caused the mouse and keyboard not to respond which forced me to unplug the power to shutdown on numerous occasions.

Edited by solarfog, 17 June 2011 - 11:01 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 17 June 2011 - 05:12 PM

ok

thanks for letting me know,

yes, try and run it in safe mode with networking

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 17 June 2011 - 11:35 PM

Just did ComboFix. Here's the log:

ComboFix 11-06-15.04 - Freeter Otaku 06/17/2011 23:06:15.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.363 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\combo.com
AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\dnomishan\System
c:\documents and settings\dnomishan\System\win_qs8.jqx
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\RdXIe.dll
.
----- BITS: Possible infected sites -----
.
hxxp://ITMANAGE47:80
hxxp://itmanage1
Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imm32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
2011-06-17 15:45 . 2011-06-17 15:51 -------- d-----w- C:\combo
2011-05-31 18:54 . 2011-06-04 19:34 -------- d-----w- c:\program files\GMATPrep
2011-05-29 23:59 . 2011-05-30 00:00 -------- d-----w- C:\LemmingballZ
2011-05-25 23:50 . 2011-05-25 23:50 -------- d-----w- c:\program files\Bonjour
2011-05-22 04:00 . 2011-05-22 04:00 -------- d-----w- c:\program files\ESET
2011-05-20 04:12 . 2011-05-20 04:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-05-20 04:11 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-20 04:11 . 2011-05-20 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-20 04:11 . 2011-06-02 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2001-12-01 651119]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe [2002-11-26 114688]
.
c:\documents and settings\House PhD\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe [2002-11-26 114688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-776561741-261903793-839522115-1858\Scripts\Logon\0\0]
"Script"=allusers.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-776561741-261903793-839522115-1858\Scripts\Logon\1\0]
"Script"=faculty.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-776561741-261903793-839522115-25756\Scripts\Logon\0\0]
"Script"=student.cmd
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^dnomishan^Start Menu^Programs^Startup^Microsoft Outlook.lnk]
path=c:\documents and settings\dnomishan\Start Menu\Programs\Startup\Microsoft Outlook.lnk
backup=c:\windows\pss\Microsoft Outlook.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-03-01 07:27 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Hot Wheels Stunt Track Challenge\\hwstc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\dnomishan\\Application Data\\mjusbsp\\magicJack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 ActionAgent;ActionAgent;c:\program files\Dell\OpenManage\Client\ActionAgent.exe [12/6/2002 11:30 AM 118784]
R2 DLT;DLT;c:\program files\Dell\OpenManage\Client\DLT.exe [12/6/2002 11:30 AM 131072]
R2 NGClient;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [12/1/2001 12:01 PM 651119]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [3/17/2011 8:50 AM 816672]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [11/30/2001 11:59 AM 323132]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [11/30/2001 11:59 AM 323132]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/20/2011 12:11 AM 39984]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bleepingcomputer.com/forums/index.php?app=core&module=search&do=user_activity&mid=687471
uInternet Connection Wizard,ShellNext = hxxp://peregrine.fsc.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 207.217.126.81 207.217.77.82
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/plugins/activex/YoYo.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-POINTER - point32.exe
MSConfigStartUp-Tray Temperature - c:\progra~1\AWS\WEATHE~1\Install\MiniBug.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-17 23:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\.*Z%%/*]
@="+/_auto_file"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell]
@="Open"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\New]
@="&New"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\New\command]
@="\"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE\" /n /f /dde"
"command"=multi:"C84DVn-}f(YR]eAR6.jiWORDFiles>L&rfUmW.cG.e%fI4G}jd /n /f /dde\00\00"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\New\ddeexec]
@="[REM _DDE_Direct][FileNew(\"%1\")]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\New\ddeexec\Application]
@="WinWord"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\New\ddeexec\Topic]
@="System"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Open]
@="&Open"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Open\command]
@="\"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE\" /n /dde"
"command"=multi:"C84DVn-}f(YR]eAR6.jiWORDFiles>L&rfUmW.cG.e%fI4G}jd /n /dde\00\00"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Open\ddeexec]
@="[REM _DDE_Direct][FileOpen(\"%1\")]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Open\ddeexec\Application]
@="WinWord"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Open\ddeexec\Topic]
@="System"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print]
@="&Print"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print\command]
@="\"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE\" /x /n /dde"
"command"=multi:"C84DVn-}f(YR]eAR6.jiWORDFiles>L&rfUmW.cG.e%fI4G}jd /x /n /dde\00\00"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print\ddeexec]
@="[REM _DDE_Minimize][FileOpen(\"%1\")][t=IsDocumentDirty()][FilePrint 0][SetDocumentDirty t][DocClose]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print\ddeexec\Application]
@="WinWord"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print\ddeexec\ifexec]
@="[FileOpen(\"%1\")][FilePrint 0][FileExit 2]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Print\ddeexec\Topic]
@="System"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Printto\command]
@="\"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE\" /n /dde"
"command"=multi:"C84DVn-}f(YR]eAR6.jiWORDFiles>L&rfUmW.cG.e%fI4G}jd /n /dde\00\00"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Printto\ddeexec]
@="[REM _DDE_Minimize][FileOpen(\"%1\")][FilePrintSetup \"%2 on p\",.DoNotSetAsSysDefault=1][FilePrint 0][DocClose 2][FilePrintSetup \"\"]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Printto\ddeexec\Application]
@="WinWord"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Printto\ddeexec\ifexec]
@="[FileOpen(\"%1\")][FilePrintSetup \"%2 on p\",.DoNotSetAsSysDefault=1][FilePrint 0][FileExit 2]"
.
[HKEY_LOCAL_MACHINE\software\Classes\Z%%/*_*a*u*t*o*_*f*i*l*e*\shell\Printto\ddeexec\Topic]
@="System"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\Symantec\Ghost\ginastub.dll
.
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\IEFRAME.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\dmi\WIN32\bin\DellDmi.exe
c:\program files\Dell\OpenManage\Client\EventAgt.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\dmi\win32\bin\Win32sl.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Microsoft Hardware\Mouse\point32.exe
.
**************************************************************************
.
Completion time: 2011-06-17 23:40:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 03:40
.
Pre-Run: 12,689,514,496 bytes free
Post-Run: 12,370,538,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 47BFF9AD456F3C93BA5FCD7871D47512

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 18 June 2011 - 08:29 AM

Please give TDSSKiller another try

rename it to a random name with a .com extension and try running it in safe mode (show hidden extensions first)

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 June 2011 - 08:20 AM

Downloaded, extracted and renamed to kasptool.com then restarted in Safe Mode but still will not start. Not sure how many programs can be open during Safe Mode but there were about 10.

Edited by solarfog, 20 June 2011 - 08:44 AM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 20 June 2011 - 05:45 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *volsnap*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 solarfog

solarfog
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 June 2011 - 06:16 AM

SystemLook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 06:38 on 21/06/2011 by Freeter Otaku
Administrator - Elevation successful

========== filefind ==========

Searching for "*volsnap*"
C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys -----c- 52352 bytes [21:02 16/03/2011] [03:00 04/08/2004] EE4660083DEBA849FF6C485D944B379B
C:\WINDOWS\inf\volsnap.inf --a---- 1095 bytes [12:00 29/08/2002] [12:00 29/08/2002] 1C43F4D998567C9D2463E18669F33A3C
C:\WINDOWS\inf\volsnap.PNF --a---- 4964 bytes [14:22 26/11/2002] [14:22 26/11/2002] ED6E68E8A1358647D9567A7495B20003
C:\WINDOWS\ServicePackFiles\i386\volsnap.sys ------- 52352 bytes [10:19 30/05/2005] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
C:\WINDOWS\system32\drivers\volsnap.sys --a---- 52352 bytes [12:00 29/08/2002] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users