Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uncertain of Virus infection. volsnap.sys shows infected (combofix) but doens't seem to exist on my computer.


  • This topic is locked This topic is locked
2 replies to this topic

#1 culther0

culther0

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 16 August 2011 - 09:34 PM

Howdy.

My machine in a nutshell is a Core 2 Duo XP Service Pack 3 with Automatic Updates Enabled.

I was browsing the internet a day or so ago (Using Chrome) when I typed in "wikipedia.com". I managed to get a popup that said "Congratulations wikipedia.com user!"

Anyway, being no stranger to viral infections, I immediately ran MBAM (I have purchased a full copy), then, as MBAM shows no notable infections ran combofix (Yes, I read the disclaimer, no I realize this might make things more difficult for you - I apologize). Combofix runs and immediately gives me this:

c:\windows\system32\Drivers\Volsnap.sys . . . is infected!! Combofix went through, and forgive me, but I believe cleaned one piece of malware on my machine (I can't be certain, as unfortunately I ran combofix a second time).

The log is included below. However I have had no other symptoms, except for the nagging feeling that "Hey, maybe the computer is running slightly slower then before". Other then that I have had 0 browser redirects or errors.

The other peculiar thing I noticed was that volsnap.sys does not exist where combofix says it does. I booted into windows recovery console to triple check that the file wasn't there. I ran kapersky's TDSSKiller's application (after some googling realizing what a volsnap.sys infection was) and got a "clean bill of health" (included below).

Could combofix be giving me a false positive here? I downloaded a trial version of kapersky, and burned through the bleeping forums installnig at least 2-3 other recommended virus removal / scanning tools and none of them came back with any indiciation that volsnap.sys was infected, only combofix.

Any insight to the problem would be appreciated.


2011/08/16 20:46:07.0542 3808	TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/16 20:46:08.0089 3808	================================================================================
2011/08/16 20:46:08.0089 3808	SystemInfo:
2011/08/16 20:46:08.0089 3808	
2011/08/16 20:46:08.0089 3808	OS Version: 5.1.2600 ServicePack: 3.0
2011/08/16 20:46:08.0089 3808	Product type: Workstation
2011/08/16 20:46:08.0089 3808	ComputerName: ZACK
2011/08/16 20:46:08.0089 3808	UserName: The Core
2011/08/16 20:46:08.0089 3808	Windows directory: C:\WINDOWS
2011/08/16 20:46:08.0089 3808	System windows directory: C:\WINDOWS
2011/08/16 20:46:08.0089 3808	Processor architecture: Intel x86
2011/08/16 20:46:08.0089 3808	Number of processors: 2
2011/08/16 20:46:08.0089 3808	Page size: 0x1000
2011/08/16 20:46:08.0089 3808	Boot type: Normal boot
2011/08/16 20:46:08.0089 3808	================================================================================
2011/08/16 20:46:09.0011 3808	Initialize success
2011/08/16 20:46:17.0964 1728	================================================================================
2011/08/16 20:46:17.0964 1728	Scan started
2011/08/16 20:46:17.0964 1728	Mode: Manual; 
2011/08/16 20:46:17.0964 1728	================================================================================
2011/08/16 20:46:23.0105 1728	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/16 20:46:24.0230 1728	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/16 20:46:26.0527 1728	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/16 20:46:27.0730 1728	AFD             (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/16 20:46:33.0152 1728	Ambfilt         (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/08/16 20:46:38.0590 1728	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/16 20:46:39.0684 1728	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/16 20:46:41.0903 1728	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/16 20:46:43.0012 1728	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/16 20:46:45.0325 1728	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/16 20:46:46.0434 1728	CCDECODE        (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/16 20:46:48.0622 1728	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/16 20:46:49.0731 1728	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/16 20:46:50.0903 1728	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/16 20:46:57.0357 1728	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/16 20:46:58.0560 1728	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/16 20:46:59.0669 1728	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/16 20:47:00.0763 1728	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/16 20:47:01.0888 1728	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/16 20:47:04.0185 1728	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/16 20:47:05.0263 1728	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/16 20:47:06.0451 1728	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/16 20:47:07.0513 1728	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/16 20:47:08.0669 1728	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/16 20:47:09.0826 1728	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/16 20:47:10.0951 1728	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/16 20:47:12.0060 1728	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/16 20:47:13.0154 1728	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/16 20:47:14.0263 1728	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/16 20:47:15.0373 1728	hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/16 20:47:17.0545 1728	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/16 20:47:20.0779 1728	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/08/16 20:47:21.0936 1728	ICAM3NT5        (7e9dce459be666ab54f67e77cb7d1297) C:\WINDOWS\system32\Drivers\Icam3.sys
2011/08/16 20:47:23.0061 1728	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/16 20:47:25.0451 1728	IntcAzAudAddService (7a9299f48d6f2e802e5b0e0dc508842a) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/16 20:47:27.0717 1728	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/16 20:47:28.0936 1728	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/16 20:47:29.0998 1728	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/16 20:47:31.0123 1728	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/16 20:47:32.0233 1728	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/16 20:47:33.0311 1728	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/16 20:47:34.0420 1728	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/16 20:47:35.0530 1728	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/16 20:47:36.0686 1728	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/16 20:47:37.0889 1728	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/16 20:47:39.0014 1728	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/16 20:47:40.0108 1728	KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/16 20:47:42.0296 1728	MBAMSwissArmy   (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/08/16 20:47:43.0390 1728	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/16 20:47:44.0515 1728	Monfilt         (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/08/16 20:47:45.0624 1728	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/16 20:47:46.0718 1728	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/16 20:47:47.0874 1728	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/16 20:47:50.0077 1728	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/16 20:47:51.0202 1728	MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/16 20:47:52.0296 1728	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/16 20:47:53.0374 1728	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/16 20:47:54.0484 1728	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/16 20:47:55.0577 1728	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/16 20:47:56.0687 1728	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/16 20:47:57.0749 1728	MSTEE           (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/16 20:47:58.0921 1728	Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/16 20:48:00.0046 1728	NABTSFEC        (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/16 20:48:01.0140 1728	NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/16 20:48:02.0218 1728	NdisIP          (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/16 20:48:03.0359 1728	NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/16 20:48:04.0515 1728	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/16 20:48:05.0672 1728	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/16 20:48:06.0765 1728	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/16 20:48:07.0906 1728	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/16 20:48:09.0203 1728	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/16 20:48:10.0312 1728	NPF             (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
2011/08/16 20:48:11.0422 1728	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/16 20:48:12.0484 1728	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/16 20:48:13.0766 1728	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/16 20:48:15.0531 1728	nv              (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/16 20:48:16.0797 1728	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/16 20:48:17.0938 1728	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/16 20:48:19.0078 1728	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/16 20:48:20.0297 1728	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/16 20:48:21.0391 1728	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/16 20:48:22.0719 1728	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/16 20:48:24.0985 1728	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/16 20:48:26.0141 1728	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/16 20:48:34.0079 1728	pneteth         (28460e94ffdf40bb28efdb3d97e959e8) C:\WINDOWS\system32\DRIVERS\pneteth.sys
2011/08/16 20:48:35.0188 1728	PnkBstrK        (10be25c04613b70d8ce1f412e14d9454) C:\WINDOWS\system32\drivers\PnkBstrK.sys
2011/08/16 20:48:36.0282 1728	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/16 20:48:37.0407 1728	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/16 20:48:38.0501 1728	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/16 20:48:39.0579 1728	PxHelp20        (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/16 20:48:46.0314 1728	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/16 20:48:48.0517 1728	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/16 20:48:49.0861 1728	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/16 20:48:51.0033 1728	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/16 20:48:52.0189 1728	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/16 20:48:53.0361 1728	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/16 20:48:54.0549 1728	rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/16 20:48:55.0736 1728	RDPWD           (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/16 20:48:56.0814 1728	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/16 20:48:57.0971 1728	RTL8023xp       (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/08/16 20:48:59.0314 1728	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/16 20:49:01.0158 1728	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/16 20:49:02.0314 1728	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/16 20:49:04.0611 1728	SLIP            (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/16 20:49:06.0986 1728	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/16 20:49:08.0268 1728	Sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/16 20:49:09.0502 1728	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/16 20:49:12.0955 1728	streamip        (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/16 20:49:16.0049 1728	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/16 20:49:17.0237 1728	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/16 20:49:22.0925 1728	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/16 20:49:24.0065 1728	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/16 20:49:25.0268 1728	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/16 20:49:26.0331 1728	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/16 20:49:27.0440 1728	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/16 20:49:29.0737 1728	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/16 20:49:31.0800 1728	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/16 20:49:32.0878 1728	USBAAPL         (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/16 20:49:33.0972 1728	usbaudio        (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/16 20:49:35.0081 1728	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/16 20:49:36.0097 1728	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/16 20:49:37.0238 1728	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/16 20:49:38.0285 1728	usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/16 20:49:39.0394 1728	usbser          (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/08/16 20:49:40.0441 1728	USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/16 20:49:41.0675 1728	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/16 20:49:42.0910 1728	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/16 20:49:45.0207 1728	wacmoumonitor   (f24ee97511fb901189e11cbbd51605ba) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
2011/08/16 20:49:46.0785 1728	wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/08/16 20:49:47.0926 1728	wacomvhid       (846b58ea44bf8c92e4b59f4e2252c4c0) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/08/16 20:49:52.0754 1728	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/16 20:49:54.0832 1728	Wdf01000        (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/08/16 20:49:57.0442 1728	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/16 20:49:58.0520 1728	WinUSB          (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/08/16 20:49:59.0770 1728	WSTCODEC        (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/16 20:49:59.0785 1728	================================================================================
2011/08/16 20:49:59.0785 1728	Scan finished
2011/08/16 20:49:59.0785 1728	================================================================================
2011/08/16 20:49:59.0801 3864	Detected object count: 0
2011/08/16 20:49:59.0801 3864	Actual detected object count: 0
2011/08/16 20:50:09.0192 1748	Deinitialize success



ComboFix 11-08-16.05 - The Core 08/16/2011  20:24:15.8.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2694 [GMT -5:00]
Running from: c:\documents and settings\The Core\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Drivers\Volsnap.sys . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-17 to 2011-08-17  )))))))))))))))))))))))))))))))
.
.
2011-08-17 01:25 . 2011-08-17 01:26	--------	d-----w-	C:\I386
2011-08-15 02:33 . 2010-10-06 01:27	150200	----a-w-	c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak\components\kavlinkfilter.dll
2011-08-15 02:00 . 2011-08-15 02:00	--------	d-----w-	c:\program files\ESET
2011-08-14 04:00 . 2011-08-14 05:05	--------	d-----w-	c:\documents and settings\Administrator
2011-08-14 01:07 . 2011-08-14 01:07	--------	d-----w-	c:\windows\system32\xircom
2011-08-14 01:07 . 2011-08-14 01:07	--------	d-----w-	c:\windows\system32\wbem\snmp
2011-08-14 01:07 . 2011-08-14 01:07	--------	d-----w-	c:\windows\srchasst
2011-08-14 01:07 . 2011-08-14 01:07	--------	d-----w-	c:\program files\microsoft frontpage
2011-08-11 05:07 . 2011-08-11 05:07	--------	d-----w-	c:\program files\Spotify
2011-08-09 23:29 . 2011-06-24 14:10	139656	------w-	c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 23:28 . 2011-07-08 14:02	10496	------w-	c:\windows\system32\dllcache\ndistapi.sys
2011-08-07 19:41 . 2008-03-21 18:57	14640	------w-	c:\windows\system32\spmsgXP_2k3.dll
2011-08-07 19:40 . 2011-07-19 16:28	13312	----a-w-	c:\windows\system32\drivers\pneteth.sys
2011-08-07 19:40 . 2009-11-08 07:41	581192	----a-w-	c:\windows\system32\WinUSBCoInstaller.dll
2011-08-07 19:40 . 2009-11-08 07:41	1112288	----a-w-	c:\windows\system32\WdfCoInstaller01007.dll
2011-08-07 19:40 . 2011-08-07 19:40	--------	d-----w-	c:\program files\PdaNet for Android
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2008-04-13 22:47	456320	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-13 22:27	10496	----a-w-	c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-06-29 04:23	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-06-29 04:23	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-26 21:36 . 2011-06-26 21:36	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-06-26 21:36 . 2010-06-15 08:36	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-06-24 14:10 . 2010-06-06 04:52	139656	----a-w-	c:\windows\system32\drivers\rdpwd.sys
2011-06-23 22:18 . 2011-06-08 04:09	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-23 18:36 . 2008-04-14 03:42	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-06-23 18:36 . 2008-04-14 03:42	916480	----a-w-	c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-14 03:41	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-06-23 12:05 . 2008-04-13 22:07	385024	----a-w-	c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 03:42	293376	----a-w-	c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2008-04-13 23:00	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-06-29 03:47 . 2011-03-23 20:17	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-08-14_01.03.08   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-16 02:12 . 2011-08-16 02:12	16384              c:\windows\temp\Perflib_Perfdata_20c.dat
+ 2010-06-06 06:27 . 2011-07-30 15:05	52390856              c:\windows\system32\MRT.exe
- 2010-06-06 06:27 . 2011-08-10 23:28	52390856              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-03-31 399736]
"F.lux"="c:\documents and settings\The Core\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"RTHDCPL"="RTHDCPL.EXE" [2010-05-01 19523616]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. free week end\\Ruse.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Documents and Settings\\The Core\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [12/20/2010 10:40 PM 29416]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [11/12/2010 11:56 PM 4767600]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [8/7/2011 2:40 PM 13312]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/6/2010 3:28 AM 1691480]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/28/2011 11:23 PM 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/12/2010 11:56 PM 16240]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-2000478354-1801674531-1001Core.job
- c:\documents and settings\The Core\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-06 07:47]
.
2011-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-2000478354-1801674531-1001UA.job
- c:\documents and settings\The Core\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-06 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15153&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: Interfaces\{4E66D38B-00EE-4990-8B34-60B0AB13F912}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B334A89E-83CA-4F6E-B43E-473AAA1B60EA}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\The Core\Application Data\Mozilla\Firefox\Profiles\67ca6hpw.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 20:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
.
Completion time: 2011-08-16  20:34:21
ComboFix-quarantined-files.txt  2011-08-17 01:34
ComboFix2.txt  2011-08-16 02:35
ComboFix3.txt  2011-08-16 02:30
ComboFix4.txt  2011-08-15 01:47
ComboFix5.txt  2011-08-17 01:23
.
Pre-Run: 109,150,720,000 bytes free
Post-Run: 108,928,032,768 bytes free
.
- - End Of File - - DCEB8A5C9FE404166E88F366DDA2FE82

Edited by boopme, 16 August 2011 - 10:01 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 21 August 2011 - 09:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414745 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 26 August 2011 - 09:40 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users