Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess RootKit suspected


  • This topic is locked This topic is locked
79 replies to this topic

#1 Lotharr

Lotharr

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 30 September 2011 - 10:26 PM

Hey All, like most of the newbies here, I did things wrong and I posted in the wrong topic (see http://www.bleepingcomputer.com/forums/topic420788.html)

From what Broni thinks, that could be a ZeroAccess infection

I get this weird process in my windows task manager 123892590:2441911800.exe


Now I read the documentation and I ran the tools you guys are asking for before crying wolf! ;o)

So here they are

the DDS report
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Run by KarJof at 22:51:59 on 2011-09-30
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1279.233 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\123892590:2441911800.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\route.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.canoe.qc.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [UniPrint] c:\progra~1\uniprint\client\SetDfltSettings.exe
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\hydravision\HydraDM.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543} - c:\poker\titan poker\casino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\karjof\desktop\PartyPoker.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} - hxxps://extranet.inalco.com/install/Install/isetupml.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{76FC0344-29B3-4C59-BC77-827EE6EF90C7} : DhcpNameServer = 207.181.101.4 207.181.101.5
TCP: Interfaces\{ECDB741F-A3AF-4463-B396-49AF1E4BA4A2} : DhcpNameServer = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\karjof\application data\mozilla\firefox\profiles\n4fpo1sp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
FF - component: c:\documents and settings\karjof\application data\mozilla\firefox\profiles\n4fpo1sp.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\karjof\application data\mozilla\firefox\profiles\n4fpo1sp.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\karjof\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-15 54752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-25 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-25 22216]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2010-4-3 214880]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\karjof\locals~1\temp\mdxgthkn.sys --> c:\docume~1\karjof\locals~1\temp\mdxgthkn.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
.
=============== Created Last 30 ================
.
2011-09-26 00:18:09 -------- d-----w- c:\program files\PC Tools Security
2011-09-26 00:18:09 -------- d-----w- c:\program files\common files\PC Tools
2011-09-26 00:14:24 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-26 00:07:42 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-25 23:58:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 23:57:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-24 12:07:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-24 12:07:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-24 04:54:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-24 04:49:01 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2011-09-24 04:46:58 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-09-23 17:15:18 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2011-09-05 18:35:46 -------- d-----w- c:\program files\iPod
2011-09-05 18:35:32 -------- d-----w- c:\program files\iTunes
2011-09-05 18:35:32 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-05 18:34:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-05 18:34:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-05 18:34:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-09-05 18:34:25 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2011-09-05 18:34:25 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2011-09-05 18:34:25 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2011-09-05 18:32:25 -------- d-----w- c:\documents and settings\karjof\local settings\application data\Apple
2011-09-05 18:32:04 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-09-05 18:32:04 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-09-05 18:31:33 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2008-03-14 22:17:10 4377088 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L160P0 rev.BAJ41G20 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe >>UNKNOWN [0x8A1199C0]<<
_asm { MOV EAX, 0x8a1198e0; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a120684; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A083AB8]
\Driver\Disk[0x8A0CBE80] -> IRP_MJ_CREATE -> 0x8A1199C0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a1199c0
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 22:54:37,10 ===============

And then the Gmer report
NOTE: I ran the gmer tool like 4 times. Everytime, it ends up vanishing. It runs for a while and then it just disappear. No warning, nothing! poof.
Another thing, when I double clic on the Gmer Icon, it seems like it runs a preScan kinda thing and the things listed in that preScan are wiped when I start the scan,so I saved a copy of that too.

PreScan data
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-30 23:14:10
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6L160P0 rev.BAJ41G20
Running: gmer.exe; Driver: C:\DOCUME~1\KarJof\LOCALS~1\Temp\kwrdrpow.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdePort0 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 89C18218
Device \Driver\dtscsi \Device\Scsi\dtscsi1 89C18218
Device \FileSystem\Ntfs \Ntfs 8A119708
Device \FileSystem\Fastfat \Fat 89C49240

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:388] BA7AC9B5
Thread System [4:392] AC792875

---- EOF - GMER 1.0.15 ----

then the scan
NOTE: as the app dies without a warning, this report is MOST PROBABLY incomplete. Very sorry about that, I did my best to try and get as much data as I could.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-30 23:15:38
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\KarJof\LOCALS~1\Temp\kwrdrpow.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF750BB3A]
SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]
SSDT sptd.sys ZwOpenKey [0xF750BA18]
SSDT sptd.sys ZwQueryKey [0xF750C0C0]
SSDT sptd.sys ZwQueryValueKey [0xF750BF58]
SSDT sptd.sys ZwSetValueKey [0xF750C148]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E875D 7 Bytes CALL AC792865
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD8941.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B89F14D0 16 Bytes [63, C6, AA, 03, 58, EE, 5D, ...]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 12 B89F14E2 30 Bytes [9F, B8, F8, DD, 26, 90, F8, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\System32\Drivers\cdudf_xp.SYS section is writeable [0xAC752280, 0xFBA0, 0xE0000020]
? C:\DOCUME~1\KarJof\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1668] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2972] USER32.dll!SetWindowLongA 7E41D60D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2972] USER32.dll!SetWindowLongW 7E41D62B 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2972] USER32.dll!GetWindowInfo 7E41E77C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2972] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A119708
Device \FileSystem\Fastfat \FatCdrom 89C49240
Device \Driver\00000091 \Device\00000043 sptd.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A119EB0
Device \Driver\dmio \Device\DmControl\DmConfig 8A119EB0
Device \Driver\dmio \Device\DmControl\DmPnP 8A119EB0
Device \Driver\dmio \Device\DmControl\DmInfo 8A119EB0
Device \FileSystem\UdfReadr_xp \Device\UdfReadr_XP 89CAE690

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1190E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1190E8
Device \Driver\Cdrom \Device\CdRom0 89E6F0E8
Device \FileSystem\Rdbss \Device\FsWrap 89DE50E8
Device \Driver\Cdrom \Device\CdRom1 89E6F0E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdePort0 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F78452F0] atapi.sys[unknown section] {MOV EAX, 0x8a119b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf751c442; RET }
Device \Driver\USBSTOR \Device\00000066 89D5F690
Device \Driver\Cdrom \Device\CdRom2 89E6F0E8
Device \Driver\Cdrom \Device\CdRom3 89E6F0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89BF10E8
Device \Driver\NetBT \Device\NetbiosSmb 89BF10E8
Device \Driver\Disk \Device\Harddisk0\DR0 8A1199C0
Device \Driver\USBSTOR \Device\0000006a 89D5F690
Device \Driver\USBSTOR \Device\0000006b 89D5F690

Thanks a lot and I really hope to be able to fix that.

Lotharr

Attached Files


Edited by Lotharr, 30 September 2011 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 04 October 2011 - 08:24 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 05 October 2011 - 07:53 PM

Hello Catbyte,

thanks for the reply. I was starting to wonder if I was going to have an answer...

I ran ComboFix and from what it told me while running, I have/had a ZeroAccess RootKit infection. Is it cleared?

Something else, it also created a file called catchme.log on my Desktop. Should I add it to my reports?

Anyway, here is the log from ComboFix


ComboFix 11-10-05.02 - KarJof 2011-10-05 20:18:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1279.738 [GMT -4:00]
Lancé depuis: c:\documents and settings\KarJof\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserName.txt
c:\documents and settings\KarJof\100.txt
c:\documents and settings\KarJof\My Documents\~WRL2629.tmp
c:\documents and settings\KarJof\WINDOWS
c:\windows\$NtUninstallKB62347$\1853055495\@
c:\windows\$NtUninstallKB62347$\1853055495\click.tlb
c:\windows\$NtUninstallKB62347$\1853055495\L\aoweewsq
c:\windows\$NtUninstallKB62347$\1853055495\U\@00000001
c:\windows\$NtUninstallKB62347$\1853055495\U\@000000c0
c:\windows\$NtUninstallKB62347$\1853055495\U\@000000cb
c:\windows\$NtUninstallKB62347$\1853055495\U\@000000cf
c:\windows\$NtUninstallKB62347$\1853055495\U\@80000000
c:\windows\$NtUninstallKB62347$\1853055495\U\@800000c0
c:\windows\$NtUninstallKB62347$\1853055495\U\@800000cb
c:\windows\$NtUninstallKB62347$\1853055495\U\@800000cf
c:\windows\$NtUninstallKB62347$\3973921129
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\bwUnin-6.1.0.155-8876480L.exe
c:\windows\system32\
c:\windows\$NtUninstallKB62347$ . . . . impossible à supprimer
.
c:\windows\system32\drivers\cdudf_xp.sys . . . est infecté!! . . . Impossible de trouver un substitut valide.
c:\windows\system32\kernel32.dll . . . est infecté!!
.
Une copie infectée de c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112103.exe
.
Une copie infectée de c:\program files\Canon\CAL\CALMAIN.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112108.exe
.
Une copie infectée de c:\program files\iPod\bin\iPodService.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1580\A0111758.ini
.
Une copie infectée de c:\program files\Java\jre6\bin\jqs.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112104.exe
.
Une copie infectée de c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1582\A0112339.exe
.
Une copie infectée de c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112105.exe
.
Une copie infectée de c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112106.exe
.
Une copie infectée de c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112107.exe
.
Une copie infectée de c:\program files\Canon\CAL\CALMAIN.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1581\A0112108.exe
Une copie infectée de c:\program files\iPod\bin\iPodService.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\system volume information\_restore{5C3FC880-60FB-49BD-B07D-C8630FE9A7D8}\RP1580\A0111758.ini
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_6e736207
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-06 au 2011-10-06 ))))))))))))))))))))))))))))))))))))
.
.
2011-09-28 20:26 . 2011-09-28 20:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\PC Tools Security
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\Common Files\PC Tools
2011-09-26 00:14 . 2011-09-26 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-09-26 00:07 . 2011-09-26 00:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-25 23:58 . 2011-09-25 23:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 23:57 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-24 12:07 . 2011-09-24 12:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-24 04:54 . 2011-10-06 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-24 04:49 . 2011-09-24 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-24 04:46 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-23 17:15 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2008-03-14 22:17 . 2008-03-14 22:17 4377088 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2011-04-14 16:26 . 2011-05-17 03:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 20:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2004-02-20 90112]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-07 262144]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-06-01 642560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-25 366152]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2010-04-03 214880]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-25 22216]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\KarJof\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\KarJof\LOCALS~1\Temp\mdxgthkn.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-04-03 44896]
.
Contenu du dossier 'Tâches planifiées'
.
2011-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.canoe.qc.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\KarJof\Application Data\Mozilla\Firefox\Profiles\n4fpo1sp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
.
- - - - ORPHELINS SUPPRIMES - - - -
.
AddRemove-ComandoMPDDeinstKey - c:\program files\Eidos Interactive\Pyro\Commandos
AddRemove-GameSpy Arcade - c:\progra~1\GAMESP~1\UNWISE.EXE
AddRemove-Titan Poker - c:\poker\Titan Poker\_SetupPoker.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 20:39
Windows 5.1.2600 Service Pack 2 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = c:\program files\ATI Technologies\HydraVision\HydraDM.exe?g?i?e?s?\?H?y?d?r?a?V?i?s?i?o?n?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(928)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\ImapiRoxPS.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Heure de fin: 2011-10-05 20:47:08 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-10-06 00:47
.
Avant-CF: 58 797 047 808 bytes free
Après-CF: 59 137 605 632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"
.
- - End Of File - - C2BB737E801BEEE8AEF48B7169159592


Once again, thanks a lot for your help!

Lotharr

P.S. Let me know if you need any additional information.

Edited by Lotharr, 05 October 2011 - 07:54 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 05 October 2011 - 08:10 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic421345.html/page__pid__2431127

Collect::
c:\docume~1\KarJof\LOCALS~1\Temp\mdxgthkn.sys

Driver::
mdxgthkn

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 05 October 2011 - 08:54 PM

Wow, that's what I call efficiency!

Thanks a lot!

I'll run that right away.

Lotharr

P.S. TDSSKiller's report

21:56:31.0703 3444 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
21:56:32.0000 3444 ============================================================
21:56:32.0000 3444 Current date / time: 2011/10/05 21:56:32.0000
21:56:32.0000 3444 SystemInfo:
21:56:32.0000 3444
21:56:32.0000 3444 OS Version: 5.1.2600 ServicePack: 2.0
21:56:32.0000 3444 Product type: Workstation
21:56:32.0000 3444 ComputerName: SUPERBRAIN
21:56:32.0000 3444 UserName: KarJof
21:56:32.0000 3444 Windows directory: C:\WINDOWS
21:56:32.0000 3444 System windows directory: C:\WINDOWS
21:56:32.0000 3444 Processor architecture: Intel x86
21:56:32.0000 3444 Number of processors: 1
21:56:32.0000 3444 Page size: 0x1000
21:56:32.0000 3444 Boot type: Normal boot
21:56:32.0000 3444 ============================================================
21:56:33.0546 3444 Initialize success
21:56:37.0937 1600 ============================================================
21:56:37.0937 1600 Scan started
21:56:37.0937 1600 Mode: Manual;
21:56:37.0937 1600 ============================================================
21:56:39.0921 1600 Abiosdsk - ok
21:56:39.0984 1600 abp480n5 - ok
21:56:40.0093 1600 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:56:40.0109 1600 ACPI - ok
21:56:40.0187 1600 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:56:40.0187 1600 ACPIEC - ok
21:56:40.0281 1600 adpu160m - ok
21:56:40.0390 1600 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
21:56:40.0390 1600 aeaudio - ok
21:56:40.0500 1600 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
21:56:40.0515 1600 aec - ok
21:56:40.0640 1600 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
21:56:40.0656 1600 AFD - ok
21:56:40.0750 1600 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:56:40.0750 1600 agp440 - ok
21:56:40.0828 1600 Aha154x - ok
21:56:40.0906 1600 aic78u2 - ok
21:56:40.0968 1600 aic78xx - ok
21:56:41.0062 1600 AliIde - ok
21:56:41.0125 1600 amsint - ok
21:56:41.0203 1600 asc - ok
21:56:41.0281 1600 asc3350p - ok
21:56:41.0343 1600 asc3550 - ok
21:56:41.0500 1600 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:56:41.0500 1600 AsyncMac - ok
21:56:41.0609 1600 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:56:41.0609 1600 atapi - ok
21:56:41.0703 1600 Atdisk - ok
21:56:41.0812 1600 ati2mtag (826054e4ae40c7d4cbd0273a0941bcf8) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:56:41.0859 1600 ati2mtag - ok
21:56:41.0968 1600 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:56:41.0968 1600 Atmarpc - ok
21:56:42.0062 1600 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:56:42.0062 1600 audstub - ok
21:56:42.0156 1600 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:56:42.0156 1600 Beep - ok
21:56:42.0187 1600 catchme - ok
21:56:42.0296 1600 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:56:42.0312 1600 cbidf2k - ok
21:56:42.0421 1600 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:56:42.0421 1600 CCDECODE - ok
21:56:42.0500 1600 cd20xrnt - ok
21:56:42.0609 1600 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:56:42.0609 1600 Cdaudio - ok
21:56:42.0703 1600 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
21:56:42.0703 1600 Cdfs - ok
21:56:42.0843 1600 Cdr4_xp (4ac2e023b8bbee458816d30db0bf149a) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
21:56:42.0843 1600 Cdr4_xp - ok
21:56:42.0921 1600 Cdralw2k (7e56d7ab50e08b393b640c0be898c752) C:\WINDOWS\system32\drivers\Cdralw2k.sys
21:56:42.0921 1600 Cdralw2k - ok
21:56:43.0015 1600 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:56:43.0015 1600 Cdrom - ok
21:56:43.0140 1600 cdudf_xp (9bb8140c37ecfc0453074df20662feba) C:\WINDOWS\system32\drivers\cdudf_xp.sys
21:56:43.0156 1600 cdudf_xp ( Rootkit.Win32.ZAccess.h ) - infected
21:56:43.0156 1600 cdudf_xp - detected Rootkit.Win32.ZAccess.h (0)
21:56:43.0234 1600 Changer - ok
21:56:43.0328 1600 CmdIde - ok
21:56:43.0453 1600 Cpqarray - ok
21:56:43.0531 1600 dac2w2k - ok
21:56:43.0593 1600 dac960nt - ok
21:56:43.0687 1600 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
21:56:43.0687 1600 Disk - ok
21:56:43.0781 1600 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
21:56:43.0796 1600 DM9102 - ok
21:56:43.0953 1600 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
21:56:44.0000 1600 dmboot - ok
21:56:44.0125 1600 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
21:56:44.0140 1600 dmio - ok
21:56:44.0203 1600 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:56:44.0203 1600 dmload - ok
21:56:44.0312 1600 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
21:56:44.0312 1600 DMusic - ok
21:56:44.0437 1600 dpti2o - ok
21:56:44.0531 1600 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
21:56:44.0531 1600 drmkaud - ok
21:56:44.0625 1600 dtscsi (12aca694b50ea53563c1e7c99e7bb27d) C:\WINDOWS\System32\Drivers\dtscsi.sys
21:56:44.0625 1600 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\dtscsi.sys. md5: 12aca694b50ea53563c1e7c99e7bb27d
21:56:44.0640 1600 dtscsi ( LockedFile.Multi.Generic ) - warning
21:56:44.0640 1600 dtscsi - detected LockedFile.Multi.Generic (1)
21:56:44.0734 1600 dvd_2K (372490daf585fff3d785e081563cc5c1) C:\WINDOWS\system32\drivers\dvd_2K.sys
21:56:44.0734 1600 dvd_2K - ok
21:56:44.0859 1600 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
21:56:44.0859 1600 EL90XBC - ok
21:56:45.0015 1600 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
21:56:45.0031 1600 Fastfat - ok
21:56:45.0109 1600 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:56:45.0109 1600 Fdc - ok
21:56:45.0218 1600 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
21:56:45.0218 1600 Fips - ok
21:56:45.0281 1600 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:56:45.0296 1600 Flpydisk - ok
21:56:45.0437 1600 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:56:45.0437 1600 FltMgr - ok
21:56:45.0593 1600 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
21:56:45.0593 1600 fssfltr - ok
21:56:45.0671 1600 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:56:45.0671 1600 Fs_Rec - ok
21:56:45.0781 1600 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:56:45.0781 1600 Ftdisk - ok
21:56:45.0890 1600 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:56:45.0890 1600 GEARAspiWDM - ok
21:56:46.0015 1600 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:56:46.0015 1600 Gpc - ok
21:56:46.0125 1600 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:56:46.0125 1600 hidusb - ok
21:56:46.0218 1600 hpn - ok
21:56:46.0343 1600 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
21:56:46.0375 1600 HTTP - ok
21:56:46.0468 1600 i2omgmt - ok
21:56:46.0562 1600 i2omp - ok
21:56:46.0671 1600 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:56:46.0671 1600 i8042prt - ok
21:56:46.0796 1600 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:56:46.0796 1600 Imapi - ok
21:56:46.0890 1600 ini910u - ok
21:56:47.0015 1600 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:56:47.0015 1600 IntelIde - ok
21:56:47.0093 1600 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:56:47.0109 1600 Ip6Fw - ok
21:56:47.0218 1600 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:56:47.0218 1600 IpFilterDriver - ok
21:56:47.0312 1600 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:56:47.0328 1600 IpInIp - ok
21:56:47.0468 1600 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:56:47.0484 1600 IpNat - ok
21:56:47.0609 1600 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:56:47.0625 1600 IPSec - ok
21:56:47.0718 1600 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:56:47.0718 1600 IRENUM - ok
21:56:47.0843 1600 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:56:47.0843 1600 isapnp - ok
21:56:47.0937 1600 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:56:47.0953 1600 Kbdclass - ok
21:56:48.0062 1600 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:56:48.0062 1600 kbdhid - ok
21:56:48.0171 1600 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
21:56:48.0187 1600 kmixer - ok
21:56:48.0281 1600 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
21:56:48.0281 1600 KSecDD - ok
21:56:48.0375 1600 l8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys
21:56:48.0390 1600 l8042pr2 - ok
21:56:48.0484 1600 lbrtfdc - ok
21:56:48.0593 1600 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys
21:56:48.0593 1600 LHidFlt2 - ok
21:56:48.0703 1600 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\WINDOWS\system32\drivers\LHidUsb.Sys
21:56:48.0703 1600 LHidUsb - ok
21:56:48.0812 1600 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys
21:56:48.0812 1600 LMouFlt2 - ok
21:56:48.0906 1600 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
21:56:48.0921 1600 MBAMProtector - ok
21:56:49.0015 1600 mdxgthkn - ok
21:56:49.0140 1600 mmc_2K (098c4e50936c2b33e3ded673be69cb10) C:\WINDOWS\system32\drivers\mmc_2K.sys
21:56:49.0140 1600 mmc_2K - ok
21:56:49.0234 1600 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:56:49.0234 1600 mnmdd - ok
21:56:49.0312 1600 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
21:56:49.0312 1600 Modem - ok
21:56:49.0421 1600 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:56:49.0421 1600 Mouclass - ok
21:56:49.0484 1600 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:56:49.0484 1600 mouhid - ok
21:56:49.0562 1600 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
21:56:49.0562 1600 MountMgr - ok
21:56:49.0656 1600 mraid35x - ok
21:56:49.0750 1600 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:56:49.0750 1600 MRxDAV - ok
21:56:49.0906 1600 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:56:49.0937 1600 MRxSmb - ok
21:56:50.0062 1600 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
21:56:50.0062 1600 Msfs - ok
21:56:50.0156 1600 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:56:50.0156 1600 MSKSSRV - ok
21:56:50.0234 1600 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:56:50.0234 1600 MSPCLOCK - ok
21:56:50.0312 1600 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
21:56:50.0328 1600 MSPQM - ok
21:56:50.0484 1600 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:56:50.0484 1600 mssmbios - ok
21:56:50.0609 1600 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
21:56:50.0609 1600 MSTEE - ok
21:56:50.0718 1600 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
21:56:50.0718 1600 Mup - ok
21:56:50.0812 1600 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
21:56:50.0812 1600 mxnic - ok
21:56:50.0937 1600 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:56:50.0937 1600 NABTSFEC - ok
21:56:51.0062 1600 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
21:56:51.0093 1600 NDIS - ok
21:56:51.0187 1600 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:56:51.0187 1600 NdisIP - ok
21:56:51.0250 1600 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:56:51.0250 1600 NdisTapi - ok
21:56:51.0312 1600 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:56:51.0328 1600 Ndisuio - ok
21:56:51.0437 1600 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:56:51.0437 1600 NdisWan - ok
21:56:51.0515 1600 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
21:56:51.0515 1600 NDProxy - ok
21:56:51.0625 1600 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:56:51.0625 1600 NetBIOS - ok
21:56:51.0718 1600 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:56:51.0734 1600 NetBT - ok
21:56:51.0921 1600 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
21:56:51.0921 1600 Npfs - ok
21:56:52.0031 1600 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
21:56:52.0078 1600 Ntfs - ok
21:56:52.0203 1600 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:56:52.0203 1600 Null - ok
21:56:52.0281 1600 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:56:52.0281 1600 NwlnkFlt - ok
21:56:52.0343 1600 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:56:52.0359 1600 NwlnkFwd - ok
21:56:52.0484 1600 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
21:56:52.0484 1600 Parport - ok
21:56:52.0562 1600 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
21:56:52.0578 1600 PartMgr - ok
21:56:52.0640 1600 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:56:52.0640 1600 ParVdm - ok
21:56:52.0734 1600 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
21:56:52.0734 1600 PCI - ok
21:56:52.0812 1600 PCIDump - ok
21:56:52.0890 1600 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:56:52.0890 1600 PCIIde - ok
21:56:53.0000 1600 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:56:53.0015 1600 Pcmcia - ok
21:56:53.0078 1600 PDCOMP - ok
21:56:53.0140 1600 PDFRAME - ok
21:56:53.0203 1600 PDRELI - ok
21:56:53.0281 1600 PDRFRAME - ok
21:56:53.0343 1600 perc2 - ok
21:56:53.0421 1600 perc2hib - ok
21:56:53.0593 1600 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:56:53.0593 1600 PptpMiniport - ok
21:56:53.0656 1600 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
21:56:53.0671 1600 Processor - ok
21:56:53.0765 1600 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
21:56:53.0796 1600 PSched - ok
21:56:53.0890 1600 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:56:53.0890 1600 Ptilink - ok
21:56:53.0984 1600 pwd_2K (c89dc0df808d13a9dedeab79ee0482be) C:\WINDOWS\system32\drivers\pwd_2K.sys
21:56:53.0984 1600 pwd_2K - ok
21:56:54.0062 1600 ql1080 - ok
21:56:54.0125 1600 Ql10wnt - ok
21:56:54.0187 1600 ql12160 - ok
21:56:54.0250 1600 ql1240 - ok
21:56:54.0312 1600 ql1280 - ok
21:56:54.0421 1600 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:56:54.0421 1600 RasAcd - ok
21:56:54.0515 1600 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:56:54.0515 1600 Rasl2tp - ok
21:56:54.0609 1600 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:56:54.0609 1600 RasPppoe - ok
21:56:54.0687 1600 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:56:54.0687 1600 Raspti - ok
21:56:54.0781 1600 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:56:54.0796 1600 Rdbss - ok
21:56:54.0890 1600 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:56:54.0890 1600 RDPCDD - ok
21:56:55.0015 1600 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:56:55.0031 1600 rdpdr - ok
21:56:55.0156 1600 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
21:56:55.0171 1600 RDPWD - ok
21:56:55.0281 1600 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:56:55.0281 1600 redbook - ok
21:56:55.0718 1600 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
21:56:55.0718 1600 rtl8139 - ok
21:56:55.0875 1600 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:56:55.0875 1600 Secdrv - ok
21:56:55.0968 1600 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:56:55.0968 1600 serenum - ok
21:56:56.0046 1600 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
21:56:56.0046 1600 Serial - ok
21:56:56.0171 1600 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:56:56.0171 1600 Sfloppy - ok
21:56:56.0250 1600 Simbad - ok
21:56:56.0375 1600 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:56:56.0375 1600 SLIP - ok
21:56:56.0515 1600 smwdm (c908f7a3326e794789cac485b73149b4) C:\WINDOWS\system32\drivers\smwdm.sys
21:56:56.0546 1600 smwdm - ok
21:56:56.0656 1600 Sparrow - ok
21:56:56.0734 1600 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
21:56:56.0734 1600 splitter - ok
21:56:56.0875 1600 sptd (e94917c80ecf1ee4b35d63a9ab8c1e8c) C:\WINDOWS\system32\Drivers\sptd.sys
21:56:56.0875 1600 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: e94917c80ecf1ee4b35d63a9ab8c1e8c
21:56:56.0890 1600 sptd ( LockedFile.Multi.Generic ) - warning
21:56:56.0890 1600 sptd - detected LockedFile.Multi.Generic (1)
21:56:56.0984 1600 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
21:56:57.0000 1600 sr - ok
21:56:57.0109 1600 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
21:56:57.0156 1600 Srv - ok
21:56:57.0296 1600 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:56:57.0296 1600 streamip - ok
21:56:57.0406 1600 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:56:57.0406 1600 swenum - ok
21:56:57.0500 1600 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
21:56:57.0500 1600 swmidi - ok
21:56:57.0593 1600 symc810 - ok
21:56:57.0671 1600 symc8xx - ok
21:56:57.0765 1600 sym_hi - ok
21:56:57.0828 1600 sym_u3 - ok
21:56:57.0921 1600 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
21:56:57.0921 1600 sysaudio - ok
21:56:58.0093 1600 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:56:58.0125 1600 Tcpip - ok
21:56:58.0203 1600 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:56:58.0218 1600 TDPIPE - ok
21:56:58.0312 1600 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
21:56:58.0312 1600 TDTCP - ok
21:56:58.0390 1600 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:56:58.0406 1600 TermDD - ok
21:56:58.0515 1600 TosIde - ok
21:56:58.0625 1600 UdfReadr_xp (c8f07754069870a76c2070df7577c974) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
21:56:58.0640 1600 UdfReadr_xp - ok
21:56:58.0750 1600 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
21:56:58.0750 1600 Udfs - ok
21:56:58.0812 1600 ultra - ok
21:56:58.0937 1600 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
21:56:58.0953 1600 Update - ok
21:56:59.0109 1600 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:56:59.0109 1600 USBAAPL - ok
21:56:59.0234 1600 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
21:56:59.0234 1600 usbaudio - ok
21:56:59.0328 1600 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:56:59.0328 1600 usbccgp - ok
21:56:59.0453 1600 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:56:59.0453 1600 usbehci - ok
21:56:59.0546 1600 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:56:59.0562 1600 usbhub - ok
21:56:59.0656 1600 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:56:59.0656 1600 usbprint - ok
21:56:59.0765 1600 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:56:59.0765 1600 usbscan - ok
21:56:59.0828 1600 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:56:59.0843 1600 USBSTOR - ok
21:56:59.0953 1600 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:56:59.0968 1600 usbuhci - ok
21:57:00.0093 1600 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:57:00.0093 1600 usbvideo - ok
21:57:00.0203 1600 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
21:57:00.0203 1600 VgaSave - ok
21:57:00.0265 1600 ViaIde - ok
21:57:00.0312 1600 VMnetAdapter - ok
21:57:00.0421 1600 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
21:57:00.0421 1600 VolSnap - ok
21:57:00.0546 1600 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:57:00.0546 1600 Wanarp - ok
21:57:00.0625 1600 WDICA - ok
21:57:00.0718 1600 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
21:57:00.0718 1600 wdmaud - ok
21:57:00.0906 1600 WmBEnum (1abfd1399436e81c9d857f5fc76eaf98) C:\WINDOWS\system32\drivers\WmBEnum.sys
21:57:00.0906 1600 WmBEnum - ok
21:57:01.0031 1600 WmFilter (b3cfcbcc91ff61ef82fc693b8b57e7f0) C:\WINDOWS\system32\drivers\WmFilter.sys
21:57:01.0046 1600 WmFilter - ok
21:57:01.0187 1600 WmVirHid (a40d2dd0f019423ef6c363f1295eb38d) C:\WINDOWS\system32\drivers\WmVirHid.sys
21:57:01.0187 1600 WmVirHid - ok
21:57:01.0265 1600 WmXlCore (2bf505424f469155cd90d7b3301d7adc) C:\WINDOWS\system32\drivers\WmXlCore.sys
21:57:01.0265 1600 WmXlCore - ok
21:57:01.0359 1600 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:57:01.0359 1600 WpdUsb - ok
21:57:01.0515 1600 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:57:01.0515 1600 WSTCODEC - ok
21:57:01.0625 1600 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:57:01.0625 1600 WudfPf - ok
21:57:01.0718 1600 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:57:01.0718 1600 WudfRd - ok
21:57:01.0812 1600 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:57:01.0968 1600 \Device\Harddisk0\DR0 - ok
21:57:01.0984 1600 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
21:57:01.0984 1600 \Device\Harddisk1\DR2 - ok
21:57:02.0031 1600 Boot (0x1200) (e4d559323af5abbc3018d66d468629d6) \Device\Harddisk0\DR0\Partition0
21:57:02.0031 1600 \Device\Harddisk0\DR0\Partition0 - ok
21:57:02.0046 1600 Boot (0x1200) (64c9bc92f93b573d3477b2e714a33554) \Device\Harddisk1\DR2\Partition0
21:57:02.0046 1600 \Device\Harddisk1\DR2\Partition0 - ok
21:57:02.0062 1600 ============================================================
21:57:02.0062 1600 Scan finished
21:57:02.0062 1600 ============================================================
21:57:02.0093 2624 Detected object count: 3
21:57:02.0093 2624 Actual detected object count: 3
21:57:31.0593 2624 Backup copy not found, trying to cure infected file..
21:57:31.0625 2624 C:\WINDOWS\system32\drivers\cdudf_xp.sys - Cure failed (FFFFFFFF)
21:57:31.0625 2624 C:\WINDOWS\system32\drivers\cdudf_xp.sys - processing error
21:57:31.0625 2624 cdudf_xp ( Rootkit.Win32.ZAccess.h ) - User select action: Cure
21:57:31.0625 2624 dtscsi ( LockedFile.Multi.Generic ) - skipped by user
21:57:31.0625 2624 dtscsi ( LockedFile.Multi.Generic ) - User select action: Skip
21:57:31.0625 2624 sptd ( LockedFile.Multi.Generic ) - skipped by user
21:57:31.0640 2624 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
21:57:42.0453 2984 Deinitialize success

Now following the NEXT STEP (copy/paste your stings and drag it overtop of ComboFix)

ComboFix Log to come

Lotharr

Edited by Lotharr, 05 October 2011 - 09:03 PM.


#6 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 October 2011 - 05:38 AM

Good morning,

last report from ComboFix.

ComboFix 11-10-05.02 - KarJof 2011-10-05 22:08:31.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1279.784 [GMT -4:00]
Lancé depuis: c:\documents and settings\KarJof\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\KarJof\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\cdudf_xp.sys . . . est infecté!!
.
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MDXGTHKN
-------\Service_mdxgthkn
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-06 au 2011-10-06 ))))))))))))))))))))))))))))))))))))
.
.
2011-09-28 20:26 . 2011-09-28 20:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\PC Tools Security
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\Common Files\PC Tools
2011-09-26 00:14 . 2011-09-26 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-09-26 00:07 . 2011-09-26 00:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-25 23:58 . 2011-09-25 23:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 23:57 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-24 12:07 . 2011-09-24 12:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-24 04:54 . 2011-10-06 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-24 04:49 . 2011-09-24 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-24 04:46 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-23 17:15 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2008-03-14 22:17 . 2008-03-14 22:17 4377088 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2011-04-14 16:26 . 2011-05-17 03:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-06_00.39.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 10:22 . 2011-10-06 10:22 16384 c:\windows\Temp\Perflib_Perfdata_410.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 20:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2004-02-20 90112]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-07 262144]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-06-01 642560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-25 366152]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2010-04-03 214880]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-25 22216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-04-03 44896]
.
Contenu du dossier 'Tâches planifiées'
.
2011-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.canoe.qc.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\KarJof\Application Data\Mozilla\Firefox\Profiles\n4fpo1sp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-06 06:23
Windows 5.1.2600 Service Pack 2 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = c:\program files\ATI Technologies\HydraVision\HydraDM.exe?g?i?e?s?\?H?y?d?r?a?V?i?s?i?o?n?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(3328)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\ImapiRoxPS.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Heure de fin: 2011-10-06 06:32:14 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-10-06 10:32
ComboFix2.txt 2011-10-06 00:47
.
Avant-CF: 59 158 548 480 bytes free
Après-CF: 59 169 697 792 bytes free
.
- - End Of File - - B2AA212B7B4BB1C74FF2B2A265142A7E


Not too sure but from what I see, it seem way cleaner than it was when we started. Please, let me know if there is anything left!

Lotharr

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 06 October 2011 - 07:07 PM

Hi

((((((((( Autres suppressions )))))))))))
.
c:\windows\system32\drivers\cdudf_xp.sys . . . est infecté!!
.


ComboFix is saying that this file is still infected - it is not deleting this file because one of your installed programs depends on it.

It belongs to CD software that you have installed.

If you could locate the file > right click it and look at it's properties to see what program it belongs to> if it is something that can be easily uninstalled then re-installed, then that's the way we should go as I don't believe that you have a replacement on your machine or ComboFix would have found it, but we can have a look just to make sure

please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *cdudf*
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 October 2011 - 07:43 PM

Hi,

it's almost funny. From what I get, that would be a russian version of Calc...

Company: Корпорация Майкрософт
File version: 5.1.2600.0 (xpclient.010817-1148)
Internal Name: CALC
Language: Russian
Original File Name: CALC.EXE
Product Name: Операционная система Microsoft® Windows®
Product Version: 5.1.2600.0

I think I could get rid of that!

Let me know what you think

Should I still run System Look?

Lotharr

p.s. I ran System Look

SystemLook 30.07.11 by jpshortstuff
Log created at 20:59 on 06/10/2011 by KarJof
Administrator - Elevation successful

========== filefind ==========

Searching for "*cdudf*"
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Cdudflib.dll --a---- 204800 bytes [15:33 14/09/2001] [15:33 14/09/2001] DE17B822C3A89B0A3722E398D71D58C9
C:\WINDOWS\system32\drivers\cdudf_xp.sys --a---- 233344 bytes [15:54 14/09/2001] [15:54 14/09/2001] 9BB8140C37ECFC0453074DF20662FEBA

-= EOF =-

Edited by Lotharr, 06 October 2011 - 08:00 PM.


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 06 October 2011 - 07:53 PM

well it's definitely an infected patched file, but if it wasn't necessary ComboFix would have simply deleted it,

so yes, please run the SystemLook to see if we can find a replacement

please do this as well > navigate to the file again > right click it and rename it with the extension .vir which will render it inactive, then see what program wont work


I believe it will be one of the following:


CDBurnerXP Pro 3
RealPlayer
SigmaTel MTPMSCN Audio Player
SoundMAX


see which one of those fails to operate properly once you rename the infected file

If you are able to uninstall the program and reinstall it, then we can delete the infected file

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 October 2011 - 08:01 PM

I posted a P.S. (probably at the same time you were posting your reply)

And SystemLook indicate that Easy CD Creator 5 was the linked file. Am I right?

If so, I'm not using that app anymore. So I'll just thrash it.

Lotharr

P.S. I unistalled Easy CD Creator (as I'm not using it anymore, might as well get rid of it). And the file cdudf_xp.sys is now gone. Should I run ComboFix another time to make sure everything is fixed?

Edited by Lotharr, 06 October 2011 - 08:12 PM.


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 06 October 2011 - 08:29 PM

yes please

Please allow it to update if it asks to do so

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 October 2011 - 08:51 PM

Hi again,
Here we are!

Nothing says Infecté!!! Hope it is a good sign

ComboFix 11-10-06.04 - KarJof 2011-10-06 21:36:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1279.522 [GMT -4:00]
Lancé depuis: c:\documents and settings\KarJof\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-07 au 2011-10-07 ))))))))))))))))))))))))))))))))))))
.
.
2011-10-06 21:33 . 2011-10-06 21:33 -------- d--h--w- c:\windows\PIF
2011-09-28 20:26 . 2011-09-28 20:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\PC Tools Security
2011-09-26 00:18 . 2011-09-26 10:19 -------- d-----w- c:\program files\Common Files\PC Tools
2011-09-26 00:14 . 2011-09-26 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-09-26 00:07 . 2011-09-26 00:07 -------- d-----w- C:\TDSSKiller_Quarantine
2011-09-25 23:58 . 2011-09-25 23:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 23:57 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-24 12:07 . 2011-09-24 12:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-24 04:54 . 2011-10-06 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-24 04:49 . 2011-09-24 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-24 04:46 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-23 17:15 . 2011-09-24 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2008-03-14 22:17 . 2008-03-14 22:17 4377088 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2011-04-14 16:26 . 2011-05-17 03:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-06_00.39.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 10:22 . 2011-10-06 10:22 16384 c:\windows\Temp\Perflib_Perfdata_410.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 20:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"UniPrint"="c:\progra~1\UniPrint\Client\SetDfltSettings.exe" [2004-02-20 90112]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-07 262144]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-06-01 642560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-25 366152]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2010-04-03 214880]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-25 22216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-04-03 44896]
.
Contenu du dossier 'Tâches planifiées'
.
2011-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.canoe.qc.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\KarJof\Application Data\Mozilla\Firefox\Profiles\n4fpo1sp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-06 21:46
Windows 5.1.2600 Service Pack 2 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HydraVisionDesktopManager = c:\program files\ATI Technologies\HydraVision\HydraDM.exe?g?i?e?s?\?H?y?d?r?a?V?i?s?i?o?n?\?H?y?d?r?a?D?M?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(1904)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2011-10-06 21:49:58
ComboFix-quarantined-files.txt 2011-10-07 01:49
ComboFix2.txt 2011-10-06 10:32
ComboFix3.txt 2011-10-06 00:47
.
Avant-CF: 59 107 352 576 bytes free
Après-CF: 59 101 138 944 bytes free
.
- - End Of File - - 3F84AACE53B53B9C1F694A4B98AA3047


Lotharr

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 06 October 2011 - 09:02 PM

Hi

Yes, that's great,

just a couple more scans to make sure there are no leftovers, please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Lotharr

Lotharr
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 October 2011 - 09:34 PM

Gah! My copy of Malware Bytes wasn't working so I
downloaded the latest version, I installed it
(everything went perfectly well) but when I launched it,
I got a pop up from windows security alert... And MalwareBytes
dies and won't work anymore.

If I make a search in google, I get redirected... seems like everything
is back as it was a few days ago! Argh!

P.S. Ho, and the process 123892590:2441911800.exe is back... Can it be Malwarebytes website that is spreading the disease???

Edited by Lotharr, 06 October 2011 - 09:38 PM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 AM

Posted 06 October 2011 - 10:07 PM

what site did you download it from?

It could be possible that the download link has been hacked I suppose?

Please run ComboFix again, followed by TDSSKiller

you should still have both programs, if not I'll give the links here:

ComboFix



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users