Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hidden device manager items


  • This topic is locked This topic is locked
21 replies to this topic

#1 AstroIROC

AstroIROC

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 11 September 2011 - 10:00 PM

This is a friends HP laptop running XP. After using Super Anti Spyware and removing some infection the laptop quit getting the internet. Thats when she brought it to me. I discovered right away the missing devices in the device manager as I was trying to repair the aparently disabled ethernet card. BTW the wireless quit working also. I've run SAS sevaeral times and trhen began posting here. following the direction of CryptoDan. After running different things and posting the results I have been refered here. Below you will find the asked for list/logs Thanks Astro

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Amy Lescalleet at 19:32:52 on 2011-09-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1313549320\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=WvFQSNRBjHN8Hgu0Qf38BQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyServer = 10.28.98.5:80
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [HostManager] c:\program files\common files\aol\1313549320\ee\AOLSoftware.exe
mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE
StartupFolder: c:\documents and settings\amy lescalleet\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\azurebay\azurebay screen saver\WPChanger.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s [?]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s [?]
S2 mrtRate;mrtRate; [x]
.
=============== Created Last 30 ================
.
2011-08-22 13:28:14 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-17 21:45:10 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-08-17 21:45:09 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-08-17 21:43:16 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-08-17 21:43:07 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-08-17 21:41:51 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-17 21:41:48 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-08-17 21:34:44 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-17 21:34:34 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-08-17 02:49:14 -------- d-----w- c:\documents and settings\amy lescalleet\local settings\application data\AOL
2011-08-17 02:07:11 -------- d-----w- c:\documents and settings\amy lescalleet\application data\SUPERAntiSpyware.com
2011-08-17 02:06:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-17 02:06:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-17 01:36:48 7680 ------w- c:\windows\system32\dllcache\iecompat.dll
2011-08-16 21:45:46 -------- d-----w- c:\windows\system32\scripting
2011-08-16 21:45:40 -------- d-----w- c:\windows\l2schemas
2011-08-16 21:45:37 -------- d-----w- c:\windows\system32\en
2011-08-16 21:37:25 -------- d-----w- c:\windows\network diagnostic
2011-08-16 20:31:08 -------- d-----w- c:\documents and settings\amy lescalleet\application data\RegistryKeys
2011-08-11 11:20:35 -------- d-----w- c:\documents and settings\amy lescalleet\application data\HpUpdate
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2003-03-31 02:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
.
============= FINISH: 19:34:10.67 ===============

Oops forgot to add the link to old topic Thanks

http://www.bleepingcomputer.com/forums/topic415820.html

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 13 September 2011 - 12:23 AM.

I am hungry for knowledge

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 18 September 2011 - 07:03 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 19 September 2011 - 07:26 AM

Hello m0le Thanks, I'm here and pateint. Thanks again
I am hungry for knowledge

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 19 September 2011 - 04:55 PM

Let's try and unhide the items first

Please download Unhide

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.


Next run aswMBR for a rootkit check

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 19 September 2011 - 10:29 PM

Hello m0le: I've run the unhide utility several times in the past. Just for giggles I did again, No help. the aswMBR log file follows. Thanks

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-19 23:21:27
-----------------------------
23:21:27.187 OS Version: Windows 5.1.2600 Service Pack 3
23:21:27.187 Number of processors: 1 586 0x802
23:21:27.187 ComputerName: PC320222731255 UserName:
23:21:27.796 Initialize success
23:21:50.937 AVAST engine download error: 0
23:22:03.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:22:03.218 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD5A Size: 57231MB BusType: 3
23:22:05.250 Disk 0 MBR read successfully
23:22:05.250 Disk 0 MBR scan
23:22:05.265 Disk 0 unknown MBR code
23:22:05.281 Disk 0 scanning sectors +117194175
23:22:05.328 Disk 0 scanning C:\WINDOWS\system32\drivers
23:22:15.031 Service scanning
23:22:16.390 Modules scanning
23:22:24.484 Disk 0 trace - called modules:
23:22:24.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:22:24.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d641f0]
23:22:24.562 3 CLASSPNP.SYS[f8585fd7] -> nt!IofCallDriver -> \Device\00000078[0x82d1e9e8]
23:22:25.125 5 ACPI.sys[f83fc620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82d63940]
23:22:25.140 Scan finished successfully
23:23:00.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Amy Lescalleet\Desktop\MBR.dat"
23:23:00.015 The log file has been saved successfully to "C:\Documents and Settings\Amy Lescalleet\Desktop\aswMBR.txt"
I am hungry for knowledge

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 20 September 2011 - 05:49 PM

Sounds like whatever has got a grip on your system so let's try and work out what it is.

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 20 September 2011 - 06:00 PM

I really think what ever it was has been removed, and we just need to figure out how to repair the damage. But thats just what I think, cause it seems to run ok, except it cant get internet.

requested log follows

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF8A25000 \WINDOWS\system32\KDCOM.DLL
0xF8935000 \WINDOWS\system32\BOOTVID.dll
0xF83F6000 ACPI.sys
0xF8A27000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF83E5000 pci.sys
0xF8525000 isapnp.sys
0xF8535000 ohci1394.sys
0xF8545000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xF8939000 compbatt.sys
0xF893D000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF8AED000 pciide.sys
0xF87A5000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8A29000 viaide.sys
0xF8A2B000 intelide.sys
0xF83C7000 pcmcia.sys
0xF8555000 MountMgr.sys
0xF83A8000 ftdisk.sys
0xF8941000 ACPIEC.sys
0xF8AEE000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
0xF87AD000 PartMgr.sys
0xF8565000 VolSnap.sys
0xF8390000 atapi.sys
0xF8575000 disk.sys
0xF8585000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8370000 fltmgr.sys
0xF835E000 sr.sys
0xF87B5000 PxHelp20.sys
0xF8347000 KSecDD.sys
0xF82BA000 Ntfs.sys
0xF828D000 NDIS.sys
0xF87BD000 nv_agp.sys
0xF8273000 Mup.sys
0xF8945000 tiumflt.sys
0xF8605000 \SystemRoot\System32\DRIVERS\AmdK8.sys
0xF89E1000 \SystemRoot\System32\DRIVERS\wmiacpi.sys
0xF89E5000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF8615000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF88CD000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF79B1000 \SystemRoot\System32\DRIVERS\Apfiltr.sys
0xF88D5000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF88DD000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF799D000 \SystemRoot\System32\DRIVERS\parport.sys
0xF88E5000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF7979000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF88ED000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF78E3000 \SystemRoot\system32\drivers\smwdm.sys
0xF78BF000 \SystemRoot\system32\drivers\portcls.sys
0xF8625000 \SystemRoot\system32\drivers\drmk.sys
0xF789C000 \SystemRoot\system32\drivers\ks.sys
0xF7884000 \SystemRoot\system32\drivers\aeaudio.sys
0xF775D000 \SystemRoot\System32\DRIVERS\AGRSM.sys
0xF88F5000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8635000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF89F5000 \SystemRoot\system32\drivers\pfc.sys
0xF8645000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF8655000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8665000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF88FD000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF8675000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xF7716000 \SystemRoot\System32\DRIVERS\bcmwl5.sys
0xF8905000 \SystemRoot\system32\drivers\tiumfwl.sys
0xF75D5000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF75C1000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF8AC9000 \SystemRoot\System32\DRIVERS\serscan.sys
0xF8C11000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF75AF000 \SystemRoot\System32\DRIVERS\bridge.sys
0xF890D000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8685000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8A05000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7598000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8695000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF86A5000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7587000 \SystemRoot\System32\DRIVERS\psched.sys
0xF86B5000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF8915000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF891D000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF86C5000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8ACB000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7489000 \SystemRoot\System32\DRIVERS\update.sys
0xF8A15000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF86D5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF86F5000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8AD3000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8AD7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B81000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AD9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF892D000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF87DD000 \SystemRoot\System32\drivers\vga.sys
0xF8ADB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8ADD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF87E5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF87ED000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF79E0000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF5EFE000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF5EA5000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF5E7D000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF5E5B000 \SystemRoot\System32\drivers\afd.sys
0xF8705000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF5E39000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF87F5000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF5E0E000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF5D76000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8735000 \SystemRoot\System32\Drivers\Fips.SYS
0xF5D50000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF8745000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF8755000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xF8ADF000 \??\C:\WINDOWS\System32\drivers\EABFiltr.sys
0xF8775000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF5D38000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AE7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF89DD000 \SystemRoot\System32\drivers\Dxapi.sys
0xF880D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C58000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xF169F000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF14D2000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8A47000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF8A49000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF1362000 \SystemRoot\System32\DRIVERS\srv.sys
0xF0E25000 \SystemRoot\system32\drivers\wdmaud.sys
0xF0F8A000 \SystemRoot\system32\drivers\sysaudio.sys
0xF0B36000 \SystemRoot\System32\Drivers\HTTP.sys
0xBF352000 \SystemRoot\System32\ATMFD.DLL
0xF8A45000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0xF016E000 \??\C:\DOCUME~1\AMYLES~1\LOCALS~1\Temp\aswMBR.sys
0xF881D000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xEFF67000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
644 csrss.exe
668 C:\WINDOWS\system32\winlogon.exe
712 C:\WINDOWS\system32\services.exe
724 C:\WINDOWS\system32\lsass.exe
872 C:\WINDOWS\system32\svchost.exe
952 svchost.exe
988 C:\WINDOWS\system32\svchost.exe
1036 svchost.exe
1092 svchost.exe
1460 C:\WINDOWS\system32\spoolsv.exe
1540 svchost.exe
1572 C:\Program Files\SUPERAntiSpyware\SASCore.exe
1584 C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
1640 C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
1668 C:\WINDOWS\system32\svchost.exe
1692 C:\WINDOWS\system32\svchost.exe
1720 C:\WINDOWS\system32\nvsvc32.exe
1760 C:\WINDOWS\system32\svchost.exe
1816 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
1840 C:\WINDOWS\system32\svchost.exe
1916 C:\WINDOWS\wanmpsvc.exe
580 C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
616 alg.exe
1276 C:\WINDOWS\explorer.exe
1128 C:\WINDOWS\system32\wscntfy.exe
260 C:\WINDOWS\AGRSMMSG.exe
408 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
504 C:\Program Files\Real\RealPlayer\realplay.exe
716 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
888 C:\Program Files\iTunes\iTunesHelper.exe
896 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
1016 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
1160 C:\Program Files\Common Files\AOL\1313549320\ee\aolsoftware.exe
1260 C:\WINDOWS\system32\ctfmon.exe
1296 C:\Program Files\Messenger\msmsgs.exe
1324 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
1388 C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
2420 C:\Program Files\iPod\bin\iPodService.exe
424 C:\Documents and Settings\Amy Lescalleet\Desktop\aswMBR.exe
2372 C:\Documents and Settings\Amy Lescalleet\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x0000006e`ceba0800 (NTFS)

PhysicalDrive0 Model Number: IC25N060ATMR04-0, Rev: MO3OAD5A
PhysicalDrive1 Model Number: WD10EADS External, Rev: 1.65

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E
931 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
I am hungry for knowledge

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 20 September 2011 - 07:48 PM

The MBR is fine. Just before we attempt any repairs let's check that there is nothing left.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Now run the ESET online scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#9 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 20 September 2011 - 11:02 PM

Thanks m0le This pc doesnot get internet, thats why I have it to fix. the mbam is running now. I did update on a clean pc and transfer the rules.ref file and over writ the existing file, but the program does not show the latest date in the update section. It has found 24 infections so far, don't know what they are yet but I will post the log after its done. I won't be able to run the ESET online scan though (can't get online)

Thanks Astro
I am hungry for knowledge

#10 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 20 September 2011 - 11:23 PM

Hello again here is the mbam log found some trogans, device manager items still hidde

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/21/2011 12:17:18 AM
mbam-log-2011-09-21 (00-17-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 220564
Time elapsed: 24 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Value: f3PopularScreensavers -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Value: FunWebProducts -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\amy lescalleet\application data\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data\amy lescalleet (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\downloaded program files\zwinkyinitialsetup1.0.1.0.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data\amy lescalleet\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data\amy lescalleet\outfit.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data\amy lescalleet\register.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\amy lescalleet\application data\funwebproducts\Data\amy lescalleet\zbucks.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
I am hungry for knowledge

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 21 September 2011 - 05:58 PM

Please run Combofix instead of ESET

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 21 September 2011 - 07:31 PM

So what if the recovery console is not installed I dont have internet!!!
I am hungry for knowledge

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 21 September 2011 - 07:42 PM

Go ahead without the recovery console. :)
Posted Image
m0le is a proud member of UNITE

#14 AstroIROC

AstroIROC
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Martinsburg, WV
  • Local time:06:49 AM

Posted 21 September 2011 - 10:52 PM

Hello m0le The combofix log will follow. I have been using a usb external hard drive to transfer the programs and logs back and forth. So as I was running combofix and thinking about how to get an internet connection, I remembered that I had a usb to ethernet adapter. So I plugged it in and installed the drivers and what do you know I have an internet connection now!!! This was done after combofix was finished, so I didn't interfear with the scan!! I was able to update mbam but i didn't do a scan yet. I thought I would wait on expert advice. so thats where we stand. BTW devices still hidden.

ComboFix 11-09-21.04 - Amy Lescalleet 09/21/2011 23:16:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.246 [GMT -4:00]
Running from: c:\documents and settings\Amy Lescalleet\Desktop\ComFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Amy Lescalleet\Desktop\Setup.exe
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\backupnotify.exe.cd4639e.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\BalloonMsg.exe.c892f05.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\CDRFinder.exe.6f03412c.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\hpqselsk.exe.a048b05c.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\ToMyPic.exe.e0640d4a.ini
c:\documents and settings\Amy Lescalleet\Local Settings\Application Data\ApplicationHistory\tps.exe.8b23323f.ini
c:\documents and settings\Amy Lescalleet\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\help\wmplayer.bak
c:\windows\system32\comct332.ocx
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-22 to 2011-09-22 )))))))))))))))))))))))))))))))
.
.
2011-09-22 03:09 . 2005-02-15 04:17 26368 ----a-r- c:\windows\system32\drivers\USB100TX.sys
2011-09-22 03:08 . 2011-09-22 03:08 -------- d-----w- c:\windows\LastGood
2011-09-21 03:48 . 2011-09-21 03:48 -------- d-----w- c:\documents and settings\Amy Lescalleet\Application Data\Malwarebytes
2011-09-21 03:48 . 2011-09-21 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-21 03:48 . 2011-09-21 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-21 03:48 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2003-03-31 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-03-31 02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2003-03-31 02:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2003-03-31 02:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 88363]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-08-17 26112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"HostManager"="c:\program files\Common Files\AOL\1313549320\ee\AOLSoftware.exe" [2006-09-26 50736]
.
c:\documents and settings\Amy Lescalleet\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-9-18 233472]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wallpaper Changer.lnk - c:\program files\AzureBay\AzureBay Screen Saver\WPChanger.exe [2004-8-18 49664]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
S2 mrtRate;mrtRate; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [9/21/2011 11:09 PM 26368]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-21 c:\windows\Tasks\User_Feed_Synchronization-{FEE77937-FA17-4DD9-9D30-C5ADD1FDDA08}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=WvFQSNRBjHN8Hgu0Qf38BQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyServer = 10.28.98.5:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-21 23:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?4?5?4??????? ???B???????????????B? ??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_SASDIFSV]
@DACL=(02 0000)
"NextInstance"=dword:00000001
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_SASKUTIL]
@DACL=(02 0000)
"NextInstance"=dword:00000001
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\SYSTEM\0002]
@DACL=(02 0000)
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"Class"="System"
"HardwareID"=multi:"root\\mssmbios\00\00"
"Driver"="{4D36E97D-E325-11CE-BFC1-08002BE10318}\\0005"
"Mfg"="(Standard system devices)"
"Service"="mssmbios"
"DeviceDesc"="Microsoft System Management BIOS Driver"
"ConfigFlags"=dword:00000000
"Capabilities"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-09-21 23:28:13
ComboFix-quarantined-files.txt 2011-09-22 03:28
.
Pre-Run: 45,634,412,544 bytes free
Post-Run: 45,655,982,080 bytes free
.
- - End Of File - - 62AC1FE7A80BE7D8C552AB1C94FD0EF4
I am hungry for knowledge

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:49 AM

Posted 22 September 2011 - 05:17 PM

We have a bit of adware still sitting there so please use the OTL scanner to post a log

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users