Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data Recovery Virus


  • This topic is locked This topic is locked
36 replies to this topic

#1 BreeLovesPc

BreeLovesPc

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 26 September 2011 - 08:40 PM

I was online using firefox internet browser when all of the sudden the browser just shut down. At first I thought I had crashed but when firefox's little window didn't pop up saying that I had crashed and ask to restart I knew there was an issue. I tried to restart firefox but it just shut down again. Alittle before this I notice that my computer was operating more slowly and I was running low on disk space. I attempted to free some space by uninstalling some programs and deleting some files but it didn't really clear much space up at all. After my internet browser shut down the second time shortly after multiple windows popped up saying that I the computer had critical damage and needed to be restored. Then this program I did not install by the name of Data recovery,which I assume to be a virus, popped up and began to scan my computer. It would not let me access my internet browser. I used system restore to try and set the computer back to a earlier date in an attempt to rid my pc of the virus but it did not work. When I restarted my computer my desktop was completely black and none of my personal or default icons were visible. The only way I can access the internet is by starting my computer in safe mode with networking and going to start and choosing internet explorer. Also this virus keeps turning off my mcafee protection.

Edited by BreeLovesPc, 26 September 2011 - 08:43 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:57 PM

Posted 27 September 2011 - 12:07 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 27 September 2011 - 07:21 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply




Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

1.logs from DDS
2.RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 27 September 2011 - 07:58 AM

I am always unable to locate the location of the dds logs. I remember having an issue with that before =( For some reason after the scan is done the logs never pop up for me afterwards.I have tried to search for them but no luck.Unfortunately I am not able to save anything to my desktop. My desktop is black and no icons are visible. I did get a log for rootkit. The following is the log....

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF5CA3000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6049792 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF296000 C:\WINDOWS\System32\igxpdx32.DLL 3461120 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF058000 C:\WINDOWS\System32\igxpdv32.DLL 2351104 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA946E000 C:\WINDOWS\system32\drivers\sthda.sys 1490944 bytes (IDT, Inc., IDT PC Audio)
0xF5AEC000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1040384 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF5A40000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 704512 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF72F3000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA6DD2000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF3D6E000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF73AA000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xA6F90000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9F0A1000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF3EC6000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBF5E3000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9E761000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF5C0D000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 212992 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xF3DCC000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF74BF000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9F171000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF72C6000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9DEEA000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA6E42000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF5C67000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA6F2F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF5A19000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 159744 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xF7469000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA6F57000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF4889000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA944A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF5C43000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF5BEA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA6E6D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7419000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF748F000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF72AC000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7451000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9F216000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7439000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7393000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF48BE000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E633000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0x9F064000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF48D5000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF5A05000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF5C8F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA6FE9000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xA6F7D000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF7380000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF7407000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF74AE000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF48AD000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA079D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76BE000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF769E000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF3FA1000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76CE000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF775E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xA9B8D000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF763E000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF768E000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF62A8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF761E000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x9E91A000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0x9EE2E000 C:\WINDOWS\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF6288000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA941A000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76AE000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF760E000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6298000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75FE000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF77EE000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF764E000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF77DE000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75EE000 BlackBox.sys 36864 bytes (RKU Driver)
0xF762E000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF767E000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6278000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA942A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA943A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF787E000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF799E000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA9C95000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7996000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xA9CAD000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF786E000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79AE000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79A6000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF798E000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA9CA5000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9F26E000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xA5998000 C:\WINDOWS\system32\Drivers\LVPr2Mon.sys 20480 bytes (-, -)
0xA9C9D000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7876000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF790E000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7916000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78B6000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA03BE000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF4010000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF7AEA000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF4028000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7257000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A02000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA0571000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x86517000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x9F018000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6D70000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF4885000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7BA0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AF0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7BAC000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B9E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7BA2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA1D22000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7BA4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B5A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B7E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7AEE000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D07000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA5FC1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA930F000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BB6000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x864B031B ?_empty_? 3301 bytes
==============================================
>Stealth
==============================================
0xF7451000 WARNING: suspicious driver modification [atapi.sys::0x864B031B]
0xF725D82A Unknown page with executable code, 2006 bytes
0x864D67D0 Unknown page with executable code, 2096 bytes
0xF725D753 Unknown page with executable code, 2221 bytes
0x864AFF02 Unknown page with executable code, 254 bytes
0x864D4EA9 Unknown page with executable code, 343 bytes
0x864D617A Unknown page with executable code, 3718 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Edited by BreeLovesPc, 27 September 2011 - 08:02 AM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 27 September 2011 - 09:53 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 27 September 2011 - 11:07 AM

Combofix ran well. My icons on my desktop are now visible again and I see data recovery's icon amongst them. I am also having trouble keeping my mcafee on from time to time. Here's combofix's log......

ComboFix 11-09-27.01 - Administrator 09/27/2011 11:23:12.10.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.762 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-27 12:42 . 2011-09-27 12:42 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-27 12:41 . 2011-09-27 12:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-09-27 00:03 . 2011-09-27 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-09-26 23:35 . 2011-09-26 23:35 346624 ----a-w- c:\documents and settings\All Users\Application Data\6DSS92c31Apgjk.exe
2011-09-23 03:04 . 2011-09-23 03:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-19 17:41 . 2011-09-19 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sandlot Games
2011-09-19 17:40 . 2011-09-27 00:00 -------- d-----w- c:\program files\Burger Island
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CodecCheck
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- C:\codec-info
2011-09-15 16:56 . 2011-09-15 16:56 -------- d-----w- c:\program files\SpywareBlaster
2011-09-15 16:53 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-09-12 21:10 . 2011-09-12 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure
2011-09-12 21:09 . 2011-09-12 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-09-12 20:03 . 2011-09-13 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:03 -------- d-----w- c:\program files\Pando Networks
2011-09-11 22:25 . 2011-09-11 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2011-09-11 21:10 . 2011-09-26 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2011-09-11 21:10 . 2009-09-02 17:44 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-09-11 21:10 . 2009-09-02 17:44 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-09-11 21:10 . 2009-09-02 17:44 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-09-11 21:10 . 2009-09-02 17:44 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-09-11 21:10 . 2011-09-11 21:10 -------- d-----w- c:\program files\VSO
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Common Files\Nero
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Nero
2011-09-11 05:14 . 2011-09-11 05:14 -------- d-----w- c:\program files\RealZeal Soft
2011-09-11 00:35 . 2011-09-11 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\ElevatedDiagnostics
2011-09-11 00:17 . 2011-09-11 00:19 -------- dc-h--w- c:\windows\ie8
2011-09-09 22:00 . 2011-09-09 22:02 -------- d-----w- c:\windows\system32\Adobe
2011-09-09 21:52 . 2011-09-09 23:39 -------- d-----w- c:\program files\3DChat
2011-09-09 20:02 . 2011-09-09 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-09-08 22:50 . 2011-09-08 22:50 -------- d-----w- c:\program files\thriXXX
2011-09-08 17:21 . 2011-09-08 17:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-09-08 16:47 . 2011-09-08 17:22 -------- d-----w- c:\program files\Singles
2011-09-07 23:08 . 2011-09-07 23:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-09-07 22:47 . 2011-09-07 22:47 -------- d-----w- c:\documents and settings\Administrator\AppData
2011-09-07 20:28 . 2000-05-22 18:58 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-09-07 20:28 . 1998-07-13 02:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-09-07 20:28 . 2000-10-01 22:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-09-07 20:28 . 1999-03-25 22:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-09-07 20:28 . 2011-09-07 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeBurner
2011-09-07 20:28 . 2004-03-09 02:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-07 20:28 . 1998-07-13 02:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-09-07 20:28 . 1998-07-12 22:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-09-07 20:10 . 2011-09-07 20:10 -------- d-----w- C:\games
2011-09-07 14:47 . 2011-09-07 14:47 -------- d-----w- c:\program files\SourceTec
2011-09-07 02:49 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-09-07 02:49 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\program files\BillP Studios
2011-09-06 23:39 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-06 23:38 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-06 23:38 . 2011-09-06 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 02:10 . 2011-09-27 14:56 -------- d-----w- c:\program files\FlashGet
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 21:15 . 2011-01-13 20:06 892928 ----a-w- c:\windows\system32\iconv.dll
2011-09-01 21:15 . 2011-01-13 20:06 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-09-01 21:15 . 2011-09-01 21:18 -------- d-----w- c:\program files\Wondershare
2011-09-01 03:57 . 2009-03-12 16:53 483422 ----a-w- c:\windows\sttray.exe
2011-09-01 03:57 . 2009-03-12 16:53 171520 ----a-w- c:\windows\system32\st322000.dll
2011-09-01 02:16 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-01 02:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-01 02:13 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 15:25 . 2010-09-07 19:39 150392 ----a-w- C:\junction.exe
2011-09-01 01:21 . 2011-05-25 02:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-26 04:21 . 2011-08-26 04:21 22 --sha-w- c:\documents and settings\Administrator\Application Data\Sys2662.Config.Repository.bin
2011-08-06 19:46 . 2011-08-06 19:46 450 ----a-w- c:\program files\0806201115462596.bat
2011-08-04 21:39 . 2011-08-04 21:39 452 ----a-w- c:\program files\0804201117390010.bat
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-03 06:01 . 2011-09-07 22:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-03-26 23:28 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-21 14:51 172032 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-03-12 16:53 483422 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\1VivoxVoice.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\Uninstall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"67:UDP"= 67:UDP:DHCP Server
"57162:TCP"= 57162:TCP:Pando Media Booster
"57162:UDP"= 57162:UDP:Pando Media Booster
.
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/26/2011 7:28 PM 84200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [12/11/2010 2:29 PM 110752]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 7:28 PM 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 7:28 PM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 7:28 PM 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/26/2011 7:28 PM 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/26/2011 7:17 PM 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/26/2011 7:28 PM 56064]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/26/2011 7:28 PM 314088]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/26/2011 7:28 PM 84488]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srvE90
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-OWNER-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-21 07:44]
.
2011-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.7.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6dqizvkp.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20110917&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
txtfile=%SystemRoot%\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-OpdotwhWLtLW.exe - c:\documents and settings\All Users\Application Data\OpdotwhWLtLW.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-27 11:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160815AS rev.3.AAC -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x864C431B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{99079A25-328F-4BD4-BE04-00955ACAA0A7}"=hex:51,66,7a,6c,4c,1d,3b,1b,35,86,15,
80,b8,65,bc,0e,a1,0a,46,d5,5b,89,ed,be
"{9D717F81-9148-4F12-8568-69135F087DB0}"=hex:51,66,7a,6c,4c,1d,3b,1b,91,63,63,
84,7f,c6,7a,0a,9a,66,2f,53,5e,4b,30,a9
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\01\16\17\16#?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(264)
c:\windows\system32\WININET.dll
c:\windows\system32\l3codecp.acm
c:\windows\system32\sirenacm.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(324)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\l3codecp.acm
c:\windows\system32\sirenacm.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2011-09-27 11:59:13
ComboFix-quarantined-files.txt 2011-09-27 15:59
.
Pre-Run: 17,071,058,944 bytes free
Post-Run: 17,656,705,024 bytes free
.
- - End Of File - - F2C7F46AE9A82F1D066AC60C551F73D0

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 27 September 2011 - 08:18 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 27 September 2011 - 09:46 PM

22:41:20.0078 3684 TDSS rootkit removing tool 2.6.2.0 Sep 26 2011 18:56:43
22:41:20.0437 3684 ============================================================
22:41:20.0437 3684 Current date / time: 2011/09/27 22:41:20.0437
22:41:20.0437 3684 SystemInfo:
22:41:20.0437 3684
22:41:20.0437 3684 OS Version: 5.1.2600 ServicePack: 3.0
22:41:20.0437 3684 Product type: Workstation
22:41:20.0437 3684 ComputerName: OWNER
22:41:20.0437 3684 UserName: Administrator
22:41:20.0437 3684 Windows directory: C:\WINDOWS
22:41:20.0437 3684 System windows directory: C:\WINDOWS
22:41:20.0437 3684 Processor architecture: Intel x86
22:41:20.0437 3684 Number of processors: 2
22:41:20.0437 3684 Page size: 0x1000
22:41:20.0437 3684 Boot type: Normal boot
22:41:20.0437 3684 ============================================================
22:41:21.0093 3684 Initialize success
22:41:28.0046 3836 ============================================================
22:41:28.0046 3836 Scan started
22:41:28.0046 3836 Mode: Manual;
22:41:28.0046 3836 ============================================================
22:41:28.0562 3836 5f1301f2 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\4060156767:2699886093.exe
22:41:29.0171 3836 Suspicious file (Hidden): C:\WINDOWS\4060156767:2699886093.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
22:41:29.0171 3836 5f1301f2 ( HiddenFile.Multi.Generic ) - warning
22:41:29.0171 3836 5f1301f2 - detected HiddenFile.Multi.Generic (1)
22:41:29.0609 3836 Abiosdsk - ok
22:41:30.0062 3836 abp480n5 - ok
22:41:30.0203 3836 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:41:30.0218 3836 ACPI - ok
22:41:30.0281 3836 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:41:30.0296 3836 ACPIEC - ok
22:41:30.0359 3836 adpu160m - ok
22:41:30.0468 3836 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:41:30.0484 3836 aec - ok
22:41:30.0531 3836 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:41:30.0531 3836 AegisP - ok
22:41:30.0578 3836 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
22:41:30.0578 3836 AFD - ok
22:41:30.0625 3836 Aha154x - ok
22:41:30.0687 3836 aic78u2 - ok
22:41:30.0765 3836 aic78xx - ok
22:41:30.0812 3836 AliIde - ok
22:41:30.0859 3836 amsint - ok
22:41:30.0906 3836 asc - ok
22:41:30.0968 3836 asc3350p - ok
22:41:31.0015 3836 asc3550 - ok
22:41:31.0078 3836 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:41:31.0093 3836 AsyncMac - ok
22:41:31.0156 3836 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:41:31.0156 3836 atapi - ok
22:41:31.0187 3836 Atdisk - ok
22:41:31.0218 3836 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:41:31.0218 3836 Atmarpc - ok
22:41:31.0265 3836 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:41:31.0265 3836 audstub - ok
22:41:31.0328 3836 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:41:31.0343 3836 Beep - ok
22:41:31.0468 3836 catchme - ok
22:41:31.0562 3836 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:41:31.0562 3836 cbidf2k - ok
22:41:31.0593 3836 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:41:31.0593 3836 CCDECODE - ok
22:41:31.0625 3836 cd20xrnt - ok
22:41:31.0640 3836 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:41:31.0640 3836 Cdaudio - ok
22:41:31.0671 3836 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:41:31.0671 3836 Cdfs - ok
22:41:31.0687 3836 Cdrom (33999c67ff8dc6b2dffbe06a3418631d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:41:31.0687 3836 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 33999c67ff8dc6b2dffbe06a3418631d, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
22:41:31.0687 3836 Cdrom ( ForgedFile.Multi.Generic ) - warning
22:41:31.0687 3836 Cdrom - detected ForgedFile.Multi.Generic (1)
22:41:31.0734 3836 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
22:41:31.0750 3836 cercsr6 - ok
22:41:31.0812 3836 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
22:41:31.0812 3836 cfwids - ok
22:41:31.0843 3836 Changer - ok
22:41:31.0890 3836 CmdIde - ok
22:41:31.0953 3836 Cpqarray - ok
22:41:32.0000 3836 dac2w2k - ok
22:41:32.0062 3836 dac960nt - ok
22:41:32.0109 3836 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:41:32.0109 3836 Disk - ok
22:41:32.0171 3836 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:41:32.0203 3836 dmboot - ok
22:41:32.0296 3836 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:41:32.0296 3836 dmio - ok
22:41:32.0328 3836 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:41:32.0328 3836 dmload - ok
22:41:32.0375 3836 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:41:32.0390 3836 DMusic - ok
22:41:32.0546 3836 dpti2o - ok
22:41:32.0734 3836 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:41:32.0750 3836 drmkaud - ok
22:41:32.0937 3836 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:41:32.0937 3836 E100B - ok
22:41:32.0984 3836 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:41:33.0000 3836 Fastfat - ok
22:41:33.0015 3836 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:41:33.0015 3836 Fdc - ok
22:41:33.0046 3836 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:41:33.0046 3836 FilterService - ok
22:41:33.0078 3836 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:41:33.0078 3836 Fips - ok
22:41:33.0093 3836 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:41:33.0109 3836 Flpydisk - ok
22:41:33.0140 3836 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:41:33.0140 3836 FltMgr - ok
22:41:33.0187 3836 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:41:33.0187 3836 Fs_Rec - ok
22:41:33.0187 3836 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:41:33.0203 3836 Ftdisk - ok
22:41:33.0218 3836 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:41:33.0234 3836 Gpc - ok
22:41:33.0296 3836 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:41:33.0296 3836 HDAudBus - ok
22:41:33.0328 3836 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:41:33.0328 3836 HidUsb - ok
22:41:33.0406 3836 hpn - ok
22:41:33.0500 3836 HSFHWBS2 (c27c1231a205086d35088e13817985b0) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
22:41:33.0515 3836 HSFHWBS2 - ok
22:41:33.0562 3836 HSF_DP (73d70d6b8516075fb4de65726f74a121) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
22:41:33.0609 3836 HSF_DP - ok
22:41:33.0656 3836 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:41:33.0656 3836 HTTP - ok
22:41:33.0671 3836 i2omgmt - ok
22:41:33.0687 3836 i2omp - ok
22:41:33.0718 3836 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:41:33.0718 3836 i8042prt - ok
22:41:33.0921 3836 ialm (1312e0141a7bd409afadd52fa565927e) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
22:41:34.0078 3836 ialm - ok
22:41:34.0140 3836 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:41:34.0140 3836 Imapi - ok
22:41:34.0171 3836 ini910u - ok
22:41:34.0203 3836 IntelIde - ok
22:41:34.0234 3836 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:41:34.0250 3836 intelppm - ok
22:41:34.0281 3836 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:41:34.0296 3836 Ip6Fw - ok
22:41:34.0359 3836 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:41:34.0359 3836 IpFilterDriver - ok
22:41:34.0406 3836 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:41:34.0421 3836 IpInIp - ok
22:41:34.0468 3836 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:41:34.0468 3836 IpNat - ok
22:41:34.0500 3836 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:41:34.0515 3836 IPSec - ok
22:41:34.0562 3836 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:41:34.0562 3836 IRENUM - ok
22:41:34.0609 3836 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:41:34.0609 3836 isapnp - ok
22:41:34.0640 3836 JL2005C (d0cf54a5e47110e1d13728f75c54c620) C:\WINDOWS\system32\Drivers\jl2005c.sys
22:41:34.0656 3836 JL2005C - ok
22:41:34.0671 3836 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:41:34.0671 3836 Kbdclass - ok
22:41:34.0750 3836 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:41:34.0750 3836 kbdhid - ok
22:41:34.0796 3836 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:41:34.0796 3836 kmixer - ok
22:41:34.0875 3836 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:41:34.0875 3836 KSecDD - ok
22:41:34.0921 3836 lbrtfdc - ok
22:41:35.0015 3836 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
22:41:35.0031 3836 lvpopflt - ok
22:41:35.0140 3836 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
22:41:35.0140 3836 LVPr2Mon - ok
22:41:35.0515 3836 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
22:41:35.0625 3836 LVRS - ok
22:41:35.0953 3836 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
22:41:35.0953 3836 LVUSBSta - ok
22:41:36.0171 3836 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:41:36.0312 3836 LVUVC - ok
22:41:36.0453 3836 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:41:36.0453 3836 mdmxsdk - ok
22:41:36.0546 3836 mfeapfk (113445fc6a858ef453cded5b0a0df665) C:\WINDOWS\system32\drivers\mfeapfk.sys
22:41:36.0546 3836 mfeapfk - ok
22:41:36.0609 3836 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
22:41:36.0609 3836 mfeavfk - ok
22:41:36.0640 3836 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
22:41:36.0640 3836 mfebopk - ok
22:41:36.0703 3836 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
22:41:36.0718 3836 mfefirek - ok
22:41:36.0750 3836 mfehidk (5e9679bb2fc4fa38ec8ca906c47acd46) C:\WINDOWS\system32\drivers\mfehidk.sys
22:41:36.0765 3836 mfehidk - ok
22:41:36.0796 3836 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:41:36.0796 3836 mfendisk - ok
22:41:36.0812 3836 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:41:36.0812 3836 mfendiskmp - ok
22:41:36.0875 3836 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
22:41:36.0875 3836 mferkdet - ok
22:41:36.0937 3836 mfetdi2k (25e12c68b49a64ffc873603dfd578236) C:\WINDOWS\system32\drivers\mfetdi2k.sys
22:41:36.0937 3836 mfetdi2k - ok
22:41:36.0984 3836 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:41:36.0984 3836 mnmdd - ok
22:41:37.0109 3836 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:41:37.0109 3836 Modem - ok
22:41:37.0156 3836 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
22:41:37.0156 3836 MODEMCSA - ok
22:41:37.0171 3836 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:41:37.0171 3836 Mouclass - ok
22:41:37.0218 3836 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:41:37.0218 3836 mouhid - ok
22:41:37.0265 3836 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:41:37.0265 3836 MountMgr - ok
22:41:37.0281 3836 mraid35x - ok
22:41:37.0359 3836 MREMP50 - ok
22:41:37.0359 3836 MRESP50 - ok
22:41:37.0453 3836 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:41:37.0453 3836 MRxDAV - ok
22:41:37.0531 3836 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:41:37.0531 3836 MRxSmb - ok
22:41:37.0578 3836 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:41:37.0578 3836 Msfs - ok
22:41:37.0640 3836 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:41:37.0640 3836 MSKSSRV - ok
22:41:37.0671 3836 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:41:37.0671 3836 MSPCLOCK - ok
22:41:37.0703 3836 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:41:37.0703 3836 MSPQM - ok
22:41:37.0765 3836 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:41:37.0765 3836 mssmbios - ok
22:41:37.0828 3836 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:41:37.0828 3836 MSTEE - ok
22:41:37.0906 3836 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:41:37.0906 3836 Mup - ok
22:41:37.0953 3836 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:41:37.0953 3836 NABTSFEC - ok
22:41:38.0078 3836 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:41:38.0093 3836 NDIS - ok
22:41:38.0234 3836 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:41:38.0250 3836 NdisIP - ok
22:41:38.0390 3836 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:41:38.0390 3836 NdisTapi - ok
22:41:38.0453 3836 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:41:38.0453 3836 Ndisuio - ok
22:41:38.0468 3836 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:41:38.0468 3836 NdisWan - ok
22:41:38.0531 3836 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:41:38.0531 3836 NDProxy - ok
22:41:38.0546 3836 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:41:38.0546 3836 NetBIOS - ok
22:41:38.0578 3836 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:41:38.0578 3836 NetBT - ok
22:41:38.0625 3836 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:41:38.0625 3836 Npfs - ok
22:41:38.0687 3836 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:41:38.0718 3836 Ntfs - ok
22:41:38.0781 3836 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:41:38.0781 3836 Null - ok
22:41:38.0843 3836 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:41:38.0843 3836 NwlnkFlt - ok
22:41:38.0875 3836 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:41:38.0875 3836 NwlnkFwd - ok
22:41:38.0953 3836 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:41:38.0968 3836 Parport - ok
22:41:39.0000 3836 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:41:39.0000 3836 PartMgr - ok
22:41:39.0031 3836 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:41:39.0031 3836 ParVdm - ok
22:41:39.0078 3836 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:41:39.0078 3836 PCI - ok
22:41:39.0109 3836 PCIDump - ok
22:41:39.0187 3836 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:41:39.0187 3836 PCIIde - ok
22:41:39.0218 3836 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:41:39.0218 3836 Pcmcia - ok
22:41:39.0296 3836 PDCOMP - ok
22:41:39.0546 3836 PDFRAME - ok
22:41:39.0625 3836 PDRELI - ok
22:41:39.0671 3836 PDRFRAME - ok
22:41:39.0703 3836 perc2 - ok
22:41:39.0765 3836 perc2hib - ok
22:41:39.0843 3836 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:41:39.0843 3836 PptpMiniport - ok
22:41:39.0890 3836 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:41:39.0890 3836 PSched - ok
22:41:39.0984 3836 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:41:40.0000 3836 Ptilink - ok
22:41:40.0031 3836 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:41:40.0031 3836 PxHelp20 - ok
22:41:40.0046 3836 ql1080 - ok
22:41:40.0062 3836 Ql10wnt - ok
22:41:40.0109 3836 ql12160 - ok
22:41:40.0156 3836 ql1240 - ok
22:41:40.0187 3836 ql1280 - ok
22:41:40.0250 3836 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:41:40.0250 3836 RasAcd - ok
22:41:40.0281 3836 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:41:40.0281 3836 Rasl2tp - ok
22:41:40.0296 3836 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:41:40.0296 3836 RasPppoe - ok
22:41:40.0328 3836 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:41:40.0343 3836 Raspti - ok
22:41:40.0390 3836 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:41:40.0421 3836 Rdbss - ok
22:41:40.0546 3836 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:41:40.0562 3836 RDPCDD - ok
22:41:40.0656 3836 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:41:40.0671 3836 rdpdr - ok
22:41:40.0906 3836 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:41:40.0921 3836 RDPWD - ok
22:41:41.0109 3836 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:41:41.0109 3836 redbook - ok
22:41:41.0156 3836 RTLWUSB - ok
22:41:41.0218 3836 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:41:41.0218 3836 Secdrv - ok
22:41:41.0234 3836 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:41:41.0234 3836 serenum - ok
22:41:41.0250 3836 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:41:41.0250 3836 Serial - ok
22:41:41.0328 3836 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:41:41.0328 3836 Sfloppy - ok
22:41:41.0437 3836 Simbad - ok
22:41:41.0531 3836 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:41:41.0546 3836 SLIP - ok
22:41:41.0593 3836 Sparrow - ok
22:41:41.0640 3836 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:41:41.0640 3836 splitter - ok
22:41:41.0734 3836 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:41:41.0734 3836 sr - ok
22:41:41.0796 3836 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:41:41.0812 3836 Srv - ok
22:41:41.0890 3836 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
22:41:41.0906 3836 STHDA - ok
22:41:41.0953 3836 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:41:41.0953 3836 streamip - ok
22:41:41.0984 3836 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:41:41.0984 3836 swenum - ok
22:41:42.0046 3836 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:41:42.0046 3836 swmidi - ok
22:41:42.0062 3836 symc810 - ok
22:41:42.0078 3836 symc8xx - ok
22:41:42.0093 3836 sym_hi - ok
22:41:42.0109 3836 sym_u3 - ok
22:41:42.0187 3836 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:41:42.0187 3836 sysaudio - ok
22:41:42.0250 3836 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:41:42.0250 3836 Tcpip - ok
22:41:42.0296 3836 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:41:42.0296 3836 TDPIPE - ok
22:41:42.0359 3836 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:41:42.0359 3836 TDTCP - ok
22:41:42.0406 3836 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:41:42.0406 3836 TermDD - ok
22:41:42.0453 3836 TosIde - ok
22:41:42.0500 3836 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:41:42.0500 3836 Udfs - ok
22:41:42.0515 3836 ultra - ok
22:41:42.0578 3836 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:41:42.0578 3836 Update - ok
22:41:42.0640 3836 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:41:42.0640 3836 usbaudio - ok
22:41:42.0671 3836 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:41:42.0671 3836 usbccgp - ok
22:41:42.0734 3836 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:41:42.0734 3836 usbehci - ok
22:41:42.0765 3836 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:41:42.0765 3836 usbhub - ok
22:41:42.0812 3836 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:41:42.0812 3836 USBSTOR - ok
22:41:42.0843 3836 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:41:42.0843 3836 usbuhci - ok
22:41:42.0890 3836 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:41:42.0890 3836 usbvideo - ok
22:41:42.0921 3836 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:41:42.0921 3836 VgaSave - ok
22:41:42.0937 3836 ViaIde - ok
22:41:42.0953 3836 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:41:42.0968 3836 VolSnap - ok
22:41:43.0000 3836 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:41:43.0000 3836 Wanarp - ok
22:41:43.0015 3836 WDICA - ok
22:41:43.0062 3836 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:41:43.0062 3836 wdmaud - ok
22:41:43.0296 3836 winachsf (9c26534a3d2aa00352ffcd23bfef1399) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:41:43.0328 3836 winachsf - ok
22:41:43.0484 3836 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
22:41:43.0484 3836 WpdUsb - ok
22:41:43.0546 3836 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:41:43.0546 3836 WS2IFSL - ok
22:41:43.0625 3836 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:41:43.0625 3836 WSTCODEC - ok
22:41:43.0656 3836 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:41:43.0656 3836 WudfPf - ok
22:41:43.0687 3836 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:41:43.0687 3836 WudfRd - ok
22:41:43.0750 3836 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
22:41:43.0750 3836 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
22:41:43.0750 3836 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
22:41:43.0750 3836 Boot (0x1200) (09094659f87ed6f19536ae950946c8d5) \Device\Harddisk0\DR0\Partition0
22:41:43.0750 3836 \Device\Harddisk0\DR0\Partition0 - ok
22:41:43.0750 3836 ============================================================
22:41:43.0750 3836 Scan finished
22:41:43.0750 3836 ============================================================
22:41:43.0765 3828 Detected object count: 3
22:41:43.0765 3828 Actual detected object count: 3
22:42:06.0546 3828 HKLM\SYSTEM\ControlSet001\services\5f1301f2 - will be deleted on reboot
22:42:06.0546 3828 HKLM\SYSTEM\ControlSet003\services\5f1301f2 - will be deleted on reboot
22:42:06.0546 3828 C:\WINDOWS\4060156767:2699886093.exe - will be deleted on reboot
22:42:06.0546 3828 5f1301f2 ( HiddenFile.Multi.Generic ) - User select action: Delete
22:42:06.0546 3828 HKLM\SYSTEM\ControlSet001\services\Cdrom - will be deleted on reboot
22:42:06.0562 3828 HKLM\SYSTEM\ControlSet003\services\Cdrom - will be deleted on reboot
22:42:06.0562 3828 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be deleted on reboot
22:42:06.0562 3828 Cdrom ( ForgedFile.Multi.Generic ) - User select action: Delete
22:42:06.0625 3828 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
22:42:06.0625 3828 \Device\Harddisk0\DR0 - ok
22:42:06.0625 3828 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
22:42:11.0953 3656 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 27 September 2011 - 10:25 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\documents and settings\All Users\Application Data\6DSS92c31Apgjk.exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 28 September 2011 - 09:43 AM

The computer seems to be running quite well. I don't see the data recovery icon anymore either :) Here's combofix's log:

ComboFix 11-09-28.01 - Administrator 09/28/2011 10:16:10.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.672 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\All Users\Application Data\6DSS92c31Apgjk.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\Data Recovery.lnk
c:\documents and settings\All Users\Application Data\6DSS92c31Apgjk.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\windows\$NtUninstallKB41246$
c:\windows\$NtUninstallKB41246$\1595081202\@
c:\windows\$NtUninstallKB41246$\1595081202\click.tlb
c:\windows\$NtUninstallKB41246$\1595081202\L\dmdczkoi
c:\windows\$NtUninstallKB41246$\1595081202\loader.tlb
c:\windows\$NtUninstallKB41246$\1595081202\U\@00000001
c:\windows\$NtUninstallKB41246$\1595081202\U\@000000c0
c:\windows\$NtUninstallKB41246$\1595081202\U\@000000cb
c:\windows\$NtUninstallKB41246$\1595081202\U\@000000cf
c:\windows\$NtUninstallKB41246$\1595081202\U\@80000000
c:\windows\$NtUninstallKB41246$\1595081202\U\@800000c0
c:\windows\$NtUninstallKB41246$\1595081202\U\@800000cb
c:\windows\$NtUninstallKB41246$\1595081202\U\@800000cf
c:\windows\$NtUninstallKB41246$\3967539629
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\
c:\windows\system32\c_13191.nls
c:\windows\system32\d3d9caps.dat
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
Infected copy of c:\windows\system32\IProsetMonitor.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016500.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016501.exe
.
Infected copy of c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016502.exe
.
Infected copy of c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016503.exe
.
Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016504.exe
.
Infected copy of c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016507.exe
.
Infected copy of c:\windows\system32\SearchIndexer.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0019519.exe
.
Infected copy of c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016506.exe
.
Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{088E5011-654A-48C3-8AFF-F1C45145F9F1}\RP60\A0016504.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_5f1301f2
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-28 14:30 . 2010-09-22 06:05 110752 ----a-w- c:\windows\system32\IProsetMonitor.exe
2011-09-28 14:29 . 2007-04-25 09:20 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-28 13:22 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-09-28 13:22 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-28 02:43 . 2011-09-28 02:43 48016 --sha-w- c:\windows\system32\c_13191.nl_
2011-09-27 16:45 . 2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
2011-09-27 16:45 . 2011-09-27 16:45 219648 ----a-w- c:\windows\system32\intelw32.dll
2011-09-27 12:42 . 2011-09-27 12:42 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-27 12:41 . 2011-09-27 12:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-09-27 00:03 . 2011-09-27 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-09-23 03:04 . 2011-09-23 03:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-19 17:41 . 2011-09-19 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sandlot Games
2011-09-19 17:40 . 2011-09-27 00:00 -------- d-----w- c:\program files\Burger Island
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CodecCheck
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- C:\codec-info
2011-09-15 16:56 . 2011-09-15 16:56 -------- d-----w- c:\program files\SpywareBlaster
2011-09-15 16:53 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-09-12 21:10 . 2011-09-12 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure
2011-09-12 21:09 . 2011-09-12 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-09-12 20:03 . 2011-09-13 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:03 -------- d-----w- c:\program files\Pando Networks
2011-09-11 22:25 . 2011-09-11 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2011-09-11 21:10 . 2011-09-26 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2011-09-11 21:10 . 2009-09-02 17:44 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-09-11 21:10 . 2009-09-02 17:44 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-09-11 21:10 . 2009-09-02 17:44 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-09-11 21:10 . 2009-09-02 17:44 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-09-11 21:10 . 2011-09-11 21:10 -------- d-----w- c:\program files\VSO
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Common Files\Nero
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Nero
2011-09-11 05:14 . 2011-09-11 05:14 -------- d-----w- c:\program files\RealZeal Soft
2011-09-11 00:35 . 2011-09-11 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\ElevatedDiagnostics
2011-09-11 00:17 . 2011-09-11 00:19 -------- dc-h--w- c:\windows\ie8
2011-09-09 22:00 . 2011-09-09 22:02 -------- d-----w- c:\windows\system32\Adobe
2011-09-09 21:52 . 2011-09-09 23:39 -------- d-----w- c:\program files\3DChat
2011-09-09 20:02 . 2011-09-09 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-09-08 22:50 . 2011-09-08 22:50 -------- d-----w- c:\program files\thriXXX
2011-09-08 17:21 . 2011-09-08 17:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-09-08 16:47 . 2011-09-08 17:22 -------- d-----w- c:\program files\Singles
2011-09-07 23:08 . 2011-09-07 23:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-09-07 22:47 . 2011-09-07 22:47 -------- d-----w- c:\documents and settings\Administrator\AppData
2011-09-07 20:28 . 2000-05-22 18:58 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-09-07 20:28 . 1998-07-13 02:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-09-07 20:28 . 2000-10-01 22:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-09-07 20:28 . 1999-03-25 22:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-09-07 20:28 . 2011-09-07 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeBurner
2011-09-07 20:28 . 2004-03-09 02:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-07 20:28 . 1998-07-13 02:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-09-07 20:28 . 1998-07-12 22:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-09-07 20:10 . 2011-09-07 20:10 -------- d-----w- C:\games
2011-09-07 14:47 . 2011-09-07 14:47 -------- d-----w- c:\program files\SourceTec
2011-09-07 02:49 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-09-07 02:49 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\program files\BillP Studios
2011-09-06 23:39 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-06 23:38 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-06 23:38 . 2011-09-06 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 02:10 . 2011-09-27 14:56 -------- d-----w- c:\program files\FlashGet
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 21:15 . 2011-01-13 20:06 892928 ----a-w- c:\windows\system32\iconv.dll
2011-09-01 21:15 . 2011-01-13 20:06 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-09-01 21:15 . 2011-09-01 21:18 -------- d-----w- c:\program files\Wondershare
2011-09-01 03:57 . 2009-03-12 16:53 483422 ----a-w- c:\windows\sttray.exe
2011-09-01 03:57 . 2009-03-12 16:53 171520 ----a-w- c:\windows\system32\st322000.dll
2011-09-01 02:16 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-01 02:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-01 02:13 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-27 17:42 . 2011-03-26 23:17 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 15:25 . 2010-09-07 19:39 150392 ----a-w- C:\junction.exe
2011-09-01 01:21 . 2011-05-25 02:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-26 04:21 . 2011-08-26 04:21 22 --sha-w- c:\documents and settings\Administrator\Application Data\Sys2662.Config.Repository.bin
2011-08-06 19:46 . 2011-08-06 19:46 450 ----a-w- c:\program files\0806201115462596.bat
2011-08-04 21:39 . 2011-08-04 21:39 452 ----a-w- c:\program files\0804201117390010.bat
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-27 23:44 . 2011-09-07 22:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-03-26 23:28 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-27_15.49.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-28 14:38 . 2011-09-28 14:38 16384 c:\windows\temp\Perflib_Perfdata_13c.dat
+ 2011-09-12 23:03 . 2011-09-27 17:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-12 23:03 . 2011-09-26 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-24 17:50 . 2011-09-27 17:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-10-24 17:50 . 2011-09-26 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-27 17:43 . 2011-09-27 17:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-09-12 23:03 . 2011-09-26 20:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-09-28 14:38 . 2009-10-07 05:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2008-05-27 02:18 . 2008-05-27 02:18 186880 c:\windows\system32\searchprotocolhost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\inetsw32]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intelworks]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IsWow64Process]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-21 14:51 172032 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-03-12 16:53 483422 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\1VivoxVoice.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\Uninstall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"67:UDP"= 67:UDP:DHCP Server
"57162:TCP"= 57162:TCP:Pando Media Booster
"57162:UDP"= 57162:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/26/2011 7:28 PM 84200]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [9/28/2011 10:30 AM 110752]
R2 intelpower;Network Location Awarene;c:\windows\System32\svchost.exe -k inetsvcs [8/4/2004 8:00 AM 14336]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/26/2011 7:28 PM 188136]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/26/2011 7:28 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/26/2011 7:17 PM 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/26/2011 7:28 PM 56064]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/26/2011 7:28 PM 84488]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
inetsvcs REG_MULTI_SZ intelpower
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srvE90
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-OWNER-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-21 07:44]
.
2011-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.7.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6dqizvkp.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20110917&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Notify-2(BDryNb~ - (no file)
SafeBoot-31346575.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-28 10:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{99079A25-328F-4BD4-BE04-00955ACAA0A7}"=hex:51,66,7a,6c,4c,1d,3b,1b,35,86,15,
80,b8,65,bc,0e,a1,0a,46,d5,5b,89,ed,be
"{9D717F81-9148-4F12-8568-69135F087DB0}"=hex:51,66,7a,6c,4c,1d,3b,1b,91,63,63,
84,7f,c6,7a,0a,9a,66,2f,53,5e,4b,30,a9
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\01\16\17\16#?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\inetsw32.dll
.
- - - - - - - > 'explorer.exe'(5640)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-09-28 10:42:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-28 14:42
ComboFix2.txt 2011-09-27 15:59
.
Pre-Run: 19,343,724,544 bytes free
Post-Run: 19,672,678,400 bytes free
.
- - End Of File - - 00EF182A125BCB32836A01045D42C36A

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 28 September 2011 - 10:04 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_13191.nl_


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 28 September 2011 - 11:15 AM

Thanks the computer seems to be doing great. Here's the log from combofix......

ComboFix 11-09-28.01 - Administrator 09/28/2011 11:57:46.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.504 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\system32\c_13191.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_13191.nl_
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-28 14:30 . 2010-09-22 06:05 110752 ----a-w- c:\windows\system32\IProsetMonitor.exe
2011-09-28 14:29 . 2007-04-25 09:20 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-28 13:22 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-09-28 13:22 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-27 16:45 . 2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
2011-09-27 16:45 . 2011-09-27 16:45 219648 ----a-w- c:\windows\system32\intelw32.dll
2011-09-27 12:42 . 2011-09-27 12:42 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-09-27 12:41 . 2011-09-27 12:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-09-27 00:03 . 2011-09-27 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-09-23 03:04 . 2011-09-23 03:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-19 17:41 . 2011-09-19 17:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sandlot Games
2011-09-19 17:40 . 2011-09-27 00:00 -------- d-----w- c:\program files\Burger Island
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CodecCheck
2011-09-17 01:27 . 2011-09-17 01:49 -------- d-----w- C:\codec-info
2011-09-15 16:56 . 2011-09-15 16:56 -------- d-----w- c:\program files\SpywareBlaster
2011-09-15 16:53 . 2011-09-17 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-09-12 21:10 . 2011-09-12 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure
2011-09-12 21:09 . 2011-09-12 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-09-12 20:03 . 2011-09-13 01:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-09-12 20:03 . 2011-09-12 20:03 -------- d-----w- c:\program files\Pando Networks
2011-09-11 22:25 . 2011-09-11 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2011-09-11 21:10 . 2011-09-26 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2011-09-11 21:10 . 2009-09-02 17:44 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-09-11 21:10 . 2009-09-02 17:44 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-09-11 21:10 . 2009-09-02 17:44 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-09-11 21:10 . 2009-09-02 17:44 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-09-11 21:10 . 2011-09-11 21:10 -------- d-----w- c:\program files\VSO
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Common Files\Nero
2011-09-11 20:12 . 2011-09-27 00:03 -------- d-----w- c:\program files\Nero
2011-09-11 05:14 . 2011-09-11 05:14 -------- d-----w- c:\program files\RealZeal Soft
2011-09-11 00:35 . 2011-09-11 00:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\ElevatedDiagnostics
2011-09-11 00:17 . 2011-09-11 00:19 -------- dc-h--w- c:\windows\ie8
2011-09-09 22:00 . 2011-09-09 22:02 -------- d-----w- c:\windows\system32\Adobe
2011-09-09 21:52 . 2011-09-09 23:39 -------- d-----w- c:\program files\3DChat
2011-09-09 20:02 . 2011-09-09 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-09-08 22:50 . 2011-09-08 22:50 -------- d-----w- c:\program files\thriXXX
2011-09-08 17:21 . 2011-09-08 17:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-09-08 16:47 . 2011-09-08 17:22 -------- d-----w- c:\program files\Singles
2011-09-07 23:08 . 2011-09-07 23:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-09-07 22:47 . 2011-09-07 22:47 -------- d-----w- c:\documents and settings\Administrator\AppData
2011-09-07 20:28 . 2000-05-22 18:58 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-09-07 20:28 . 1998-07-13 02:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-09-07 20:28 . 2000-10-01 22:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-09-07 20:28 . 1999-03-25 22:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-09-07 20:28 . 2011-09-07 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeBurner
2011-09-07 20:28 . 2004-03-09 02:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-09-07 20:28 . 1998-07-13 02:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-09-07 20:28 . 1998-07-12 22:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-09-07 20:10 . 2011-09-07 20:10 -------- d-----w- C:\games
2011-09-07 14:47 . 2011-09-07 14:47 -------- d-----w- c:\program files\SourceTec
2011-09-07 02:49 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-09-07 02:49 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol
2011-09-07 02:48 . 2011-09-07 02:48 -------- d-----w- c:\program files\BillP Studios
2011-09-06 23:39 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-06 23:38 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-06 23:38 . 2011-09-06 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 02:10 . 2011-09-28 14:48 -------- d-----w- c:\program files\FlashGet
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 21:15 . 2011-01-13 20:06 892928 ----a-w- c:\windows\system32\iconv.dll
2011-09-01 21:15 . 2011-01-13 20:06 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-09-01 21:15 . 2011-09-01 21:18 -------- d-----w- c:\program files\Wondershare
2011-09-01 03:57 . 2009-03-12 16:53 483422 ----a-w- c:\windows\sttray.exe
2011-09-01 03:57 . 2009-03-12 16:53 171520 ----a-w- c:\windows\system32\st322000.dll
2011-09-01 02:16 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-01 02:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-01 02:13 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-27 17:42 . 2011-03-26 23:17 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 15:25 . 2010-09-07 19:39 150392 ----a-w- C:\junction.exe
2011-09-01 01:21 . 2011-05-25 02:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-26 04:21 . 2011-08-26 04:21 22 --sha-w- c:\documents and settings\Administrator\Application Data\Sys2662.Config.Repository.bin
2011-08-06 19:46 . 2011-08-06 19:46 450 ----a-w- c:\program files\0806201115462596.bat
2011-08-04 21:39 . 2011-08-04 21:39 452 ----a-w- c:\program files\0804201117390010.bat
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-27 23:44 . 2011-09-07 22:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-03-26 23:28 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-27_15.49.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-28 16:09 . 2011-09-28 16:09 16384 c:\windows\temp\Perflib_Perfdata_c8.dat
- 2011-09-12 23:03 . 2011-09-26 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-09-12 23:03 . 2011-09-27 17:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-24 17:50 . 2011-09-27 17:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-10-24 17:50 . 2011-09-26 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-27 02:18 . 2008-05-27 02:18 186880 c:\windows\system32\searchprotocolhost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\inetsw32]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intelworks]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IsWow64Process]
2011-09-27 16:45 37376 ----a-w- c:\windows\system32\inetsw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-10-21 14:51 172032 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-10-21 14:51 143360 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-03-12 16:53 483422 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\1VivoxVoice.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\IMVUClient\\Uninstall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"67:UDP"= 67:UDP:DHCP Server
"57162:TCP"= 57162:TCP:Pando Media Booster
"57162:UDP"= 57162:UDP:Pando Media Booster
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/26/2011 7:28 PM 84200]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [9/28/2011 10:30 AM 110752]
R2 intelpower;Network Location Awarene;c:\windows\System32\svchost.exe -k inetsvcs [8/4/2004 8:00 AM 14336]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/26/2011 7:28 PM 188136]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/26/2011 7:28 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/26/2011 7:17 PM 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/26/2011 7:28 PM 56064]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 7:28 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/26/2011 7:28 PM 84488]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
inetsvcs REG_MULTI_SZ intelpower
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srvE90
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-OWNER-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-21 07:44]
.
2011-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.7.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6dqizvkp.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20110917&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Notify-2(BDryNb~ - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-28 12:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{99079A25-328F-4BD4-BE04-00955ACAA0A7}"=hex:51,66,7a,6c,4c,1d,3b,1b,35,86,15,
80,b8,65,bc,0e,a1,0a,46,d5,5b,89,ed,be
"{9D717F81-9148-4F12-8568-69135F087DB0}"=hex:51,66,7a,6c,4c,1d,3b,1b,91,63,63,
84,7f,c6,7a,0a,9a,66,2f,53,5e,4b,30,a9
.
[HKEY_USERS\S-1-5-21-2000478354-1085031214-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,a3,9f,78,f2,bf,4d,44,a8,6b,b2,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\01\16\17\16#?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\inetsw32.dll
.
- - - - - - - > 'explorer.exe'(636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-09-28 12:13:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-28 16:13
ComboFix2.txt 2011-09-28 14:42
ComboFix3.txt 2011-09-27 15:59
.
Pre-Run: 22,119,792,640 bytes free
Post-Run: 22,107,443,200 bytes free
.
- - End Of File - - 4D87776AA64CBF5AC3BD06006BEA0EBE

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 28 September 2011 - 12:52 PM

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 BreeLovesPc

BreeLovesPc
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:57 PM

Posted 28 September 2011 - 01:09 PM

I followed the instructions above but when I tried to run junc.bat it gave me the following error message.... c:\log.txt
Access is Denied. I tried it again and got the same error message.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:57 PM

Posted 29 September 2011 - 10:34 AM

Hello

1. make sure junction.exe is on the C drive

2.click on start

3. click on run

4. type CMD into the run box and click on OK

5. copy and paste thes line into the CMD window


cd c:\
junction -s c:\>log.txt
start log.txt

6. wait about 5 min untill the report popsup

7.copy and paste this report here

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users