Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware preventing internet connection


  • This topic is locked This topic is locked
30 replies to this topic

#1 ARKeng

ARKeng

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 September 2011 - 11:24 PM

Let me start by saying I already started in the "Am I infected" forum and they told me to start a new post in here. The link to my thread over there is: Internet access shuts down right after login

I sure would appreciate your help!

Here is my DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21
Run by Alan at 20:44:04 on 2011-09-23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2251 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
\\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Update\1.3.21.65\GoogleCrashHandler.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=15119&l=dis
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: This BHO has been enabled by System Cleaner. - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510014552.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - No File
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: DisableStartupSound = 1 (0x1)
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8BF932B3-9F46-4240-83F6-28AEF593C124} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\b72ugyyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\alan\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\alan\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\alan\appdata\roaming\mozilla\firefox\profiles\b72ugyyq.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-5 387480]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-12-13 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-12-13 165032]
R1 SASDIFSV;SASDIFSV;c:\users\alan\appdata\local\temp\sas_selfextract\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\users\alan\appdata\local\temp\sas_selfextract\saskutil.sys [2011-7-12 67664]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-3-9 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-5 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-13 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-13 141792]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-9-8 237056]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-9-8 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-9-8 484352]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-13 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-5 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-5 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-13 314088]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c932e91e8b3c60;Google Update Service (gupdate1c932e91e8b3c60);c:\program files\google\update\GoogleUpdate.exe [2008-10-20 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-13 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-10-20 133104]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-8-6 33792]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-13 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-5 40552]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
.
=============== Created Last 30 ================
.
2011-09-24 03:09:38 -------- d-----w- c:\users\alan\appdata\local\Western_Digital
2011-09-24 02:57:17 -------- d-----w- c:\programdata\Western Digital
2011-09-24 02:55:00 -------- d-----w- c:\program files\Western Digital
2011-09-24 02:52:24 -------- d-----w- c:\users\alan\appdata\local\Western Digital
2011-09-09 04:21:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-09-09 04:20:44 -------- d-----w- c:\programdata\Hitman Pro
2011-09-09 04:08:01 -------- d-----w- c:\users\alan\appdata\roaming\SUPERAntiSpyware.com
2011-09-09 04:08:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-09-09 03:40:09 -------- d-----w- c:\users\alan\appdata\roaming\Malwarebytes
2011-09-09 03:40:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-09 03:40:01 -------- d-----w- c:\programdata\Malwarebytes
2011-09-09 03:39:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-09 03:39:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-03 17:47:37 -------- d-----w- c:\users\alan\appdata\local\THQ
.
==================== Find3M ====================
.
2011-09-06 22:25:59 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-06 22:25:50 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-06 22:25:50 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-03 19:23:59 138056 ----a-w- c:\users\alan\appdata\roaming\PnkBstrK.sys
2011-09-03 19:23:36 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-08-23 00:51:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-20 23:06:13 189800 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-07-29 05:22:06 8396800 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-07-29 04:44:08 18388480 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-29 04:41:00 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-29 04:40:46 726528 ----a-w- c:\windows\system32\aticfx32.dll
2011-07-29 04:36:28 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-29 04:35:54 401408 ----a-w- c:\windows\system32\atieclxx.exe
2011-07-29 04:35:26 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-07-29 04:34:12 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-07-29 04:33:56 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-29 04:33:44 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-29 04:33:36 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-07-29 04:33:28 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-29 04:30:28 4198912 ----a-w- c:\windows\system32\atidxx32.dll
2011-07-29 04:11:44 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-07-29 04:11:16 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-29 04:11:04 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-29 04:09:12 4256768 ----a-w- c:\windows\system32\atiumdag.dll
2011-07-29 04:07:26 8247296 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-29 04:04:00 4056064 ----a-w- c:\windows\system32\atiumdva.dll
2011-07-29 04:01:50 52736 ----a-w- c:\windows\system32\coinst.dll
2011-07-29 03:54:44 266240 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-29 03:54:32 13312 ----a-w- c:\windows\system32\atiglpxx.dll
2011-07-29 03:54:20 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-07-29 03:53:48 247296 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-07-29 03:53:16 31744 ----a-w- c:\windows\system32\atiuxpag.dll
2011-07-29 03:53:02 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-07-29 03:52:40 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-07-29 03:52:28 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-29 03:51:06 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-29 03:51:06 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 20:44:50.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 AM

Posted 28 September 2011 - 11:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/420238 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 02 October 2011 - 03:11 PM

Hi,

it seems you have been infected with Zero Access. Please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 02 October 2011 - 04:32 PM

Thanks for the reply myrti. Please take a look at my new info below - I've proceed as you instructed but I did run into something that may add some more relevant information...

I was actually in the middle of re-supplying new logs per the HelpBot's instructions. Just when I thought this was pointless as I hadn't turned on my PC since the last logs were created, I booted it up and after several minutes, McAfee's realtime scanning popped open and said that it had detected an Artemis!95459276DEF6 trojan and a restart was required to remove it. So I restarted the logs in McAfee showed that the infected file was indeed the win4036e0.dat file I had noted as suspicious in my initial "Am I Infected" post. On restart, McAfee initiated a full scan so I figured I'd let it run and about 3 hours later it finally finished without finding anything else. Anyway, I thought this was strange that all of a sudden McAfee found this since I've run multiple scans through this whole process and it's certainly had realtime scannning enabled most of the time and since my internet access is screwed up, it's not like it's downloaded new updates or anything (since early September) according to the logs.

It does look like ComboFix found a few things...

Below is my new DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_21
Run by Alan at 13:13:10 on 2011-10-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2095 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Google\Update\1.3.21.69\GoogleCrashHandler.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=15119&l=dis
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: This BHO has been enabled by System Cleaner. - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510014552.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - No File
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: DisableStartupSound = 1 (0x1)
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8BF932B3-9F46-4240-83F6-28AEF593C124} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\b72ugyyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\alan\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\alan\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\alan\appdata\roaming\mozilla\firefox\profiles\b72ugyyq.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-5 387480]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-12-13 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-12-13 165032]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-3-9 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-5 94880]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-13 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-13 141792]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-9-8 237056]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2010-9-8 1034752]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2010-9-8 484352]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-13 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-5 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-5 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-13 314088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c932e91e8b3c60;Google Update Service (gupdate1c932e91e8b3c60);c:\program files\google\update\GoogleUpdate.exe [2008-10-20 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-13 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-10-20 133104]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-8-6 33792]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-13 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-5 40552]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2011-5-12 21744]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-24 03:48:59 -------- d-----w- C:\gmer
2011-09-24 03:09:38 -------- d-----w- c:\users\alan\appdata\local\Western_Digital
2011-09-24 02:57:17 -------- d-----w- c:\programdata\Western Digital
2011-09-24 02:55:00 -------- d-----w- c:\program files\Western Digital
2011-09-24 02:52:24 -------- d-----w- c:\users\alan\appdata\local\Western Digital
2011-09-09 04:21:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-09-09 04:20:44 -------- d-----w- c:\programdata\Hitman Pro
2011-09-09 04:08:01 -------- d-----w- c:\users\alan\appdata\roaming\SUPERAntiSpyware.com
2011-09-09 04:08:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-09-09 03:40:09 -------- d-----w- c:\users\alan\appdata\roaming\Malwarebytes
2011-09-09 03:40:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-09 03:40:01 -------- d-----w- c:\programdata\Malwarebytes
2011-09-09 03:39:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-09 03:39:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-03 17:47:37 -------- d-----w- c:\users\alan\appdata\local\THQ
.
==================== Find3M ====================
.
2011-10-02 17:24:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 22:25:59 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-06 22:25:50 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-06 22:25:50 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-03 19:23:59 138056 ----a-w- c:\users\alan\appdata\roaming\PnkBstrK.sys
2011-09-03 19:23:36 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-08-20 23:06:13 189800 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-07-29 05:22:06 8396800 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-07-29 04:44:08 18388480 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-29 04:41:00 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-29 04:40:46 726528 ----a-w- c:\windows\system32\aticfx32.dll
2011-07-29 04:36:28 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-29 04:35:54 401408 ----a-w- c:\windows\system32\atieclxx.exe
2011-07-29 04:35:26 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-07-29 04:34:12 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-07-29 04:33:56 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-29 04:33:44 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-29 04:33:36 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-07-29 04:33:28 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-29 04:30:28 4198912 ----a-w- c:\windows\system32\atidxx32.dll
2011-07-29 04:11:44 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-07-29 04:11:16 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-29 04:11:04 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-29 04:09:12 4256768 ----a-w- c:\windows\system32\atiumdag.dll
2011-07-29 04:07:26 8247296 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-29 04:04:00 4056064 ----a-w- c:\windows\system32\atiumdva.dll
2011-07-29 04:01:50 52736 ----a-w- c:\windows\system32\coinst.dll
2011-07-29 03:54:44 266240 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-29 03:54:32 13312 ----a-w- c:\windows\system32\atiglpxx.dll
2011-07-29 03:54:20 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-07-29 03:53:48 247296 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-07-29 03:53:16 31744 ----a-w- c:\windows\system32\atiuxpag.dll
2011-07-29 03:53:02 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-07-29 03:52:40 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-07-29 03:52:28 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-29 03:51:06 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-29 03:51:06 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 13:13:48.73 ===============

Here is my ComboFix.txt:
ComboFix 11-10-02.03 - Alan 10/02/2011 14:13:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2089 [GMT -7:00]
Running from: c:\users\Alan\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\programdata\PCDr\5830\Downloads\0fc909b5-f105-4459-82f3-583c6ea5d734.dll
c:\programdata\PCDr\5830\Downloads\482517d4-aaa6-47f8-a7ad-de5cf6021ac2.dll
c:\programdata\PCDr\5830\Downloads\b3c595f3-948c-4aae-b2a9-7aaa0df99c97.dll
c:\programdata\PCDr\5830\Downloads\b4ec5042-c9eb-4e0d-b56f-68c71eb653bf.dll
c:\users\Mason\AppData\Local\ArmA
c:\users\Mason\AppData\Local\ArmA\arma.RPT
c:\windows\system32\133b8b20.dll
c:\windows\system32\15bcef14.dll
c:\windows\system32\1fdf6e0.dll
c:\windows\system32\2f2eed00.dll
c:\windows\system32\41f7304.dll
c:\windows\system32\7a255a6.dll
c:\windows\system32\7db2b60.dll
c:\windows\system32\9bb56e4.dll
c:\windows\system32\b620dc4.dll
c:\windows\system32\b7d4708.dll
c:\windows\system32\f954894.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
.
.
2011-10-02 21:22 . 2011-10-02 21:23 -------- d-----w- c:\users\Alan\AppData\Local\temp
2011-10-02 21:22 . 2011-10-02 21:22 -------- d-----w- c:\users\Mason\AppData\Local\temp
2011-10-02 21:22 . 2011-10-02 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-24 03:48 . 2011-09-24 03:48 -------- d-----w- C:\gmer
2011-09-24 03:09 . 2011-09-24 03:09 -------- d-----w- c:\users\Alan\AppData\Local\Western_Digital
2011-09-24 02:57 . 2011-09-24 02:57 -------- d-----w- c:\programdata\Western Digital
2011-09-24 02:55 . 2011-09-24 02:55 -------- d-----w- c:\program files\Western Digital
2011-09-24 02:52 . 2011-09-24 02:52 -------- d-----w- c:\users\Alan\AppData\Local\Western Digital
2011-09-16 21:47 . 2011-09-17 02:58 -------- d-----w- c:\users\Mason\AppData\Roaming\.minecraft
2011-09-09 23:34 . 2011-09-09 23:35 -------- d-----w- c:\users\Mason\AppData\Local\Microsoft Games
2011-09-09 21:46 . 2011-09-09 21:46 -------- d-----w- c:\users\Mason\AppData\Roaming\Malwarebytes
2011-09-09 04:21 . 2011-09-09 04:21 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-09-09 04:20 . 2011-09-09 04:20 -------- d-----w- c:\programdata\Hitman Pro
2011-09-09 04:08 . 2011-09-09 04:08 -------- d-----w- c:\users\Alan\AppData\Roaming\SUPERAntiSpyware.com
2011-09-09 04:08 . 2011-09-09 04:08 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-09-09 03:40 . 2011-09-09 03:40 -------- d-----w- c:\users\Alan\AppData\Roaming\Malwarebytes
2011-09-09 03:40 . 2011-09-09 03:40 -------- d-----w- c:\programdata\Malwarebytes
2011-09-09 03:40 . 2011-07-08 14:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-09 03:39 . 2011-09-09 04:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-09 03:39 . 2011-07-08 14:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-03 17:47 . 2011-09-03 17:47 -------- d-----w- c:\users\Alan\AppData\Local\THQ
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 17:24 . 2011-06-06 05:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 22:25 . 2008-06-29 06:15 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-06 22:25 . 2009-06-27 06:33 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-06 22:25 . 2008-06-29 06:15 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-03 19:23 . 2008-06-29 06:15 138056 ----a-w- c:\users\Alan\AppData\Roaming\PnkBstrK.sys
2011-09-03 19:23 . 2008-06-29 06:15 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-08-20 23:06 . 2008-06-29 06:15 189800 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-07-29 05:22 . 2011-07-29 05:22 8396800 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-07-29 04:44 . 2011-07-29 04:44 18388480 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-29 04:41 . 2011-07-29 04:41 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-29 04:40 . 2010-08-04 08:54 726528 ----a-w- c:\windows\system32\aticfx32.dll
2011-07-29 04:36 . 2011-07-29 04:36 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-29 04:35 . 2011-03-09 11:53 401408 ----a-w- c:\windows\system32\atieclxx.exe
2011-07-29 04:35 . 2011-03-09 11:52 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-07-29 04:34 . 2011-07-29 04:34 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-07-29 04:33 . 2011-07-29 04:33 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-29 04:33 . 2011-07-29 04:33 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-29 04:33 . 2011-07-29 04:33 20992 ----a-w- c:\windows\system32\atimuixx.dll
2011-07-29 04:33 . 2011-07-29 04:33 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-29 04:30 . 2011-07-29 04:30 4198912 ----a-w- c:\windows\system32\atidxx32.dll
2011-07-29 04:11 . 2011-07-29 04:11 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2011-07-29 04:11 . 2011-07-29 04:11 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-29 04:11 . 2011-07-29 04:11 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-29 04:09 . 2008-05-29 03:54 4256768 ----a-w- c:\windows\system32\atiumdag.dll
2011-07-29 04:07 . 2011-07-29 04:07 8247296 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-29 04:04 . 2011-03-09 10:34 4056064 ----a-w- c:\windows\system32\atiumdva.dll
2011-07-29 04:01 . 2010-08-04 08:23 52736 ----a-w- c:\windows\system32\coinst.dll
2011-07-29 03:54 . 2011-03-09 11:18 266240 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-29 03:54 . 2011-07-29 03:54 13312 ----a-w- c:\windows\system32\atiglpxx.dll
2011-07-29 03:54 . 2011-07-29 03:54 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-07-29 03:53 . 2011-07-29 03:53 247296 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-07-29 03:53 . 2011-07-29 03:53 31744 ----a-w- c:\windows\system32\atiuxpag.dll
2011-07-29 03:53 . 2011-03-09 11:16 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-07-29 03:52 . 2011-03-09 11:16 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-07-29 03:52 . 2011-07-29 03:52 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-29 03:51 . 2011-07-29 03:51 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-29 03:51 . 2011-07-29 03:51 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-22 02:54 . 2011-08-12 00:57 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-12 00:57 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-12 00:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25 . 2011-08-25 02:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31 . 2011-08-12 00:49 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-02 21:46 . 2011-05-13 21:50 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 21:01 . 2010-12-13 22:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-9-8 5185536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 21:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-09-09 12:09 50592 ----a-w- c:\users\Alan\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45 8704 ----a-w- c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-07-08 14:55 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-05-14 09:03 4452352 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Alan\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Alan\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c932e91e8b3c60;Google Update Service (gupdate1c932e91e8b3c60);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 133104]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 133104]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-02-03 3526520]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2011-05-12 21744]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-04-14 64584]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-04-14 165032]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-29 176128]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-09-08 237056]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-09-08 1034752]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-09-08 484352]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-29 8396800]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-29 247296]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - pwddqpoc
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 19:21]
.
2011-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-20 19:21]
.
2011-09-24 c:\windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
2011-10-02 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
2011-10-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15119&l=dis
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\b72ugyyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp--532066276 - c:\users\Alan\AppData\Local\Temp\thpm291337485425533431.tmp
MSConfigStartUp-8EE9D7FB - c:\users\Alan\AppData\Roaming\8EE9D7FB\8EE9D7FB.EXE
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-02 14:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,40,d6,c9,74,b2,c2,46,b5,aa,61,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,40,d6,c9,74,b2,c2,46,b5,aa,61,\
.
[HKEY_USERS\S-1-5-21-3810396432-2170358803-2536125792-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:fd,07,09,c1,53,3c,a0,a0,83,f1,ba,66,93,ab,28,a9,73,c6,68,2e,3d,b5,26,
1c,df,03,7c,63,49,0f,5c,ed,43,14,e4,8e,4a,c2,30,6f,a4,05,07,27,15,e6,39,6b,\
"??"=hex:64,a2,87,f0,9b,5b,86,b2,57,5c,21,40,cf,d2,66,c3
.
[HKEY_USERS\S-1-5-21-3810396432-2170358803-2536125792-1000\Software\SecuROM\License information*]
"datasecu"=hex:4c,2a,a6,98,38,af,cd,0b,1f,f9,a1,73,53,03,48,b7,d9,f8,e6,d7,86,
fe,a0,66,40,32,14,9a,8c,2d,01,32,30,66,ba,5c,4a,8e,74,27,d9,01,ab,32,c6,66,\
"rkeysecu"=hex:a0,1c,70,88,b3,cd,df,f5,83,58,8f,36,0d,14,87,09
.
Completion time: 2011-10-02 14:24:55
ComboFix-quarantined-files.txt 2011-10-02 21:24
.
Pre-Run: 25,165,352,960 bytes free
Post-Run: 55,165,345,792 bytes free
.
- - End Of File - - 6C1788CC466E1F09DBC28A53714029F9

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 02 October 2011 - 05:06 PM

Hi,

so you created the gmer log before running ComboFix or after? It still seems to show the same lines.

Did the files deleted by McAfee erturn after the reboot?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 02 October 2011 - 06:14 PM

The previously-posted gmer log is pre-ComboFix.

The win*.dat file did not show up on task manager after the McAfee scan as it did before.

I've attached a new post-ComboFix gmer log.

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 02 October 2011 - 06:33 PM

Hi,

have you previously removed parts of the infection? Was win****.dat the only thing McAfee found?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 02 October 2011 - 06:55 PM

Hi,

I'm not seeing anything obvious in your logs at the moment. Could you reset your router to see if that was the problem:
Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.[list]
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 02 October 2011 - 09:03 PM

OK, well that was a bit frustrating for awhile but I was able to get through it eventually. I should have reminded you that my laptop I'm using and my roommate's laptop and our PS3 (all connected wirelessly) are working fine, so I wouldn't think it's the router. Here's what happened:

1. I reset the router.
2. On the infected desktop I went to the 192.168.1.1 address and it let me log in to the router (for the first time in about 3 weeks!). I changed the password but as soon as I hit "apply" it tried to load the response page and gave me a "The connection has timed out" page just like it does to any internet page. I also tried my bookmark for "www.routerlogin.net/start.htm" and got the same result.
3. I started to worry that I wouldn't be able to re-setup the wireless network that has worked fine for all but the desktop. But I remembered to try plugging in my laptop (wired) to the router and went to the 192.168.1.1 address. But it brought up a blank white page that said something to the effect of "192.168.1.2 is managing this device". I thought maybe my login in from the other PC was still "hung in" so I unplugged that network cable and rebooted the router.
4. I went to the 192.168.1.1 address on my laptop again and it brought up a "192.168.1.3 is managing this device" page. So I unplugged the cable between the router and the cable modem and re-booted the router again.
5. Then, when I went to the 192.168.1.1 address, it let me login like it should. Finally, I was able to change the password and re-setup all my wireless settings. Also, given what I'd just experienced, I made sure that all the settings for "enable remote management" were unchecked (as they always have been).
6. Now at least I'm able to re-connect wirelessly on the laptops per normal, but still not on the desktop
7. I went through the TCP/IP settings and confirmed they are still set up for "automatic" on everything again. I rebooted the desktop and still get the same behavior: internet works for about 1-2 minutes, and then suddenly stops.

To answer your previous question, yes McAfee has found some other things before. In looking through the log it looks like it had found an Artemis! trojan with a different number and a GenericFakeAlert.by trojan both back on 9/5/11 (about the time all the troubles began). I've attached my full McAfee log that I was able to find on the hard drive.

Attached Files



#10 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 02 October 2011 - 09:14 PM

I also just found another McAfee log that contains some other things it's found...

Attached Files

  • Attached File  OAS.Log   95.5KB   1 downloads


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 03 October 2011 - 04:53 AM

Hi,

yes, if the others function correctly, then it is most likely not the router indeed.

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Please also run a scan with aswMBR:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 03 October 2011 - 10:12 AM

Here is the RKreport[1].txt:
RogueKiller V6.1.1 [09/28/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Alan [Admin rights]
Mode: Scan -- Date : 10/03/2011 07:53:34

Bad processes: 0

Registry Entries: 3
[SUSP PATH] win4036e0.job : \\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


--------------------------------------------------------------------------------
Here is the awMBR.txt:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-03 07:55:00
-----------------------------
07:55:00.847 OS Version: Windows 6.0.6002 Service Pack 2
07:55:00.847 Number of processors: 2 586 0x1706
07:55:00.847 ComputerName: ALAN-DESKTOP UserName: Alan
07:55:01.829 Initialize success
07:55:14.563 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
07:55:14.563 Disk 0 Vendor: ST3320620AS 3.ADG Size: 305245MB BusType: 3
07:55:16.606 Disk 0 MBR read successfully
07:55:16.606 Disk 0 MBR scan
07:55:16.606 Disk 0 Windows VISTA default MBR code
07:55:16.606 Disk 0 scanning sectors +625139712
07:55:16.684 Disk 0 scanning C:\Windows\system32\drivers
07:55:20.928 Service scanning
07:55:22.332 Modules scanning
07:55:25.795 Disk 0 trace - called modules:
07:55:25.826 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
07:55:25.826 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x856a62a0]
07:55:25.826 3 CLASSPNP.SYS[8ade28b3] -> nt!IofCallDriver -> [0x84747918]
07:55:25.826 5 acpi.sys[806936bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x854e2b98]
07:55:26.325 Scan finished successfully
07:55:40.069 Disk 0 MBR has been saved successfully to "C:\Users\Alan\Desktop\MBR.dat"
07:55:40.084 The log file has been saved successfully to "C:\Users\Alan\Desktop\aswMBR.txt"


-------------------------------------------------------------------------------------------------
On the chance that it's of any use, these are the contents of QuarantineReport.txt that Rogue Killer created in a folder called RK_Quarantine on my desktop:


Time : 03/10/2011 07:53:34
--------------------------
ERROR [win4036e0.dat.vir] -> \\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat


---------------------------------------------------------------------------------------------------

That's it for now - same behavior on the internet connection.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 03 October 2011 - 11:37 AM

Hi,

it seems that RogueKiller can see the problem at hand, so let's see if it can remove it:
Quit all running programs and run RogueKiller once again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 ARKeng

ARKeng
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 03 October 2011 - 08:54 PM

myrti,

Seems like it deleted it, but connection still behaving the same way after restart...

Here's my new RKreport:
RogueKiller V6.1.1 [09/28/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Alan [Admin rights]
Mode: Remove -- Date : 10/03/2011 18:42:42

Bad processes: 0

Registry Entries: 3
[SUSP PATH] win4036e0.job : \\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver: [LOADED]

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Here's my new QuarantineReport.txt:


Time : 03/10/2011 07:53:34
--------------------------
ERROR [win4036e0.dat.vir] -> \\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat


Time : 03/10/2011 18:42:42
--------------------------
ERROR [win4036e0.dat.vir] -> \\.\globalroot\Device\HarddiskVolume3\Users\Alan\AppData\Local\Temp\win4036e0.dat

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 AM

Posted 04 October 2011 - 02:08 AM

Hi,

I'm not sure the program was able to delete the file permanently. Lets see if it is still there:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    %systemroot%\win4036e0.* /s
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users