Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit has disabled network, system restore and security software


  • This topic is locked This topic is locked
64 replies to this topic

#1 ncbeachcomber

ncbeachcomber

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 16 October 2011 - 07:12 AM

My PC has been knocked off my network and its Internet connection, by what appears to be a rootkit infection. All network connection functions are disabled. The infection has also disabled everything I've tried to solve it: system restore, Windows Defender and McAfee Internet Security, even Windows Explorer "search" function. I've been able to use a flash drive to copy software, logs, threat definitions, etc., back and forth from another machine on my network, which is where I'm posting this from. Obviously I need help in curing this, which has put my businesses at a near stand-still when I can least afford it.


These are my system specs:
Windows XP version 5.1 (Build 2600.xpsp_sp3_gdr.101209-1647 : Service Pack 3)
3 gB RAM


These are the symptoms:

The system was running very slowly. I suspected memory leaks from having a lot of high-powered software
open for a long time, so did a cold boot. On restart, network and internet connection (through network)
didn't work. The more I tried to fix this, the more features I found that seemed to have been systematically
crippled:

These programs and services were disabled: They won't open, or open as blank windows, or don't respond:

* System Restore
(blank window)
* Windows Explorer search function
(disabled)
* Network
(network drives not found; network directory under "My Network Places/Entire Network" comes up blank)
* Network Setup Wizard
(goes through complete sequence, but no network connection created)
* Windows Defender
(wouldn't start. I re-installed from an old ZIP file and now it works; transferred updated threat
descriptions via flash drive and ran a scan, which found nothing.)
* McAfee Internet Security
(Hidden. Icon shows up in system tray, but doesn't respond. Trying to open manually results in blank window.)


Attempted diagnostics and/or repairs:
Checked network card status: Device Manager reported hardware working normally.
Ran CHKDSK /R on hard drive; some minor problems reported repaired.
Ran defrag on hard drive; no problems reported
Reinstalled Windows Defender, ran scan with latest definitions, nothing found
Ran Spybot Search & Destroy with latest definitions, found a few tracking cookies but nothing malicious
Ran McAfee Stinger virus scan (version 10.2.0.310) which found nothing
Ran McAfee kremove (specialized Klez scan program) which found nothing
Ran McAfee bremove (specialized Bugbear scan program) which found nothing
Ran HijackThis scan. (log available)
Ran deFogger to disable CD emulator drivers
Ran DDS (log follows)
Ran GMER, which found evidence of changes caused by rootkit. (log attached.)



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 13:55:05 on 2011-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2305 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\EFI\PrintMessenger\dsfhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.capefearwedding.com/index.asp
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [AdobeBridge]
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [\\KATE-PC\EPSON WorkForce 1100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifea.exe /fu "c:\docume~1\hp_adm~1\locals~1\temp\E_S3D98.tmp" /EF "HKCU"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [DSFHost] c:\program files\efi\printmessenger\dsfhost.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\backup~1.lnk - c:\program files\ascomp software\backup maker\bkmaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://virtualeshoppingsupport.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{C3659D6E-1B7C-497E-8738-6640256FCBF6} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: text/html - {6afb9d0d-163f-4193-8259-993cd6ece16c} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6145\SiteAdv.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-3 54776]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-26 94880]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 0012881317100541mcinstcleanup;McAfee Application Installer Cleanup (0012881317100541);c:\windows\temp\001288~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\001288~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McMPFSvc;McAfee Personal Firewall;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-26 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-26 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
.
=============== Created Last 30 ================
.
2011-10-14 11:03:54 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{fae66c36-ba3d-4a96-bdc8-ff7d95939434}\offreg.dll
2011-10-13 14:07:08 -------- d-----w- c:\program files\Trend Micro
2011-10-13 13:31:25 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{fae66c36-ba3d-4a96-bdc8-ff7d95939434}\mpengine.dll
2011-10-13 13:31:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-13 12:24:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-29 11:33:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-29 11:33:39 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-20 16:05:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:56:24.00 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-16 07:24:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3200827AS rev.3.AHH
Running: tjei1t6l.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ffldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB94B0360, 0x20574D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe[3908] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00465AA1 C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe (Backup Software/ASCOMP Software GmbH)
.text C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe[3908] USER32.dll!SetScrollInfo 7E419056 8 Bytes JMP 028F0000
.text C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe[3908] USER32.dll!SetScrollPos 7E42F750 8 Bytes JMP 028F01CA
.text C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe[3908] USER32.dll!SetScrollRange 7E42F99B 8 Bytes JMP 028F00D9

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UAConvbyaqtaftrhdj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAConvbyaqtaftrhdj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAConvbyaqtaftrhdj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAConvbyaqtaftrhdj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAConvbyaqtaftrhdj.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacerrors
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\0\0\5\6\6
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\0\0\5\6\6@NodeSlot 1793
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\0\0\5\6\6@MRUListEx 0xFF 0xFF 0xFF 0xFF

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 23 October 2011 - 11:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/423731 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 24 October 2011 - 03:13 PM

Hi,

I'm assuming you still need help with this issue.

Download this file -
ComboFix
and transfer it to Desktop on the infected machine via flash drive.
Right-click on the Combofix icon and rename it to otherfile.exe
Double click on the icon & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

jedi

Edited by jedi, 25 October 2011 - 03:50 AM.


#4 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 24 October 2011 - 08:55 PM

As requested by the HelpBot, I'm posting new scan logs from DDS and GMER.

As far as I can tell, the machine's symptoms are the same as they were a week ago: can't connect to network, and a whole range of security software and related system utilities are disabled. In other words, the description in my original post is still accurate.

I don't have Windows install disks; it's one of those HP machines that came with a recovery partition on the hard drive, so the only way to reinstall the operating system is to wipe everything clean and start over. Though I do have pretty thorough backups, I sure would rather not have to reinstall a lot of software, much of which is now in "legacy" mode and can't be installed without buying newer releases.

Here are the new logs, based on scans done today. (I also have the "attach" file, zipped and ready to go, from the DDS scan, but can't see any way to attach it at this stage. Will be glad to supply it in any way that may be helpful.)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Administrator at 21:36:47 on 2011-10-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2213 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\EFI\PrintMessenger\dsfhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\windows\system\hpsysdrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HP_Administrator\Desktop\tjei1t6l.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.capefearwedding.com/index.asp
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [AdobeBridge]
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [\\KATE-PC\EPSON WorkForce 1100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifea.exe /fu "c:\docume~1\hp_adm~1\locals~1\temp\E_S3D98.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [DSFHost] c:\program files\efi\printmessenger\dsfhost.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\backup~1.lnk - c:\program files\ascomp software\backup maker\bkmaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://virtualeshoppingsupport.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{C3659D6E-1B7C-497E-8738-6640256FCBF6} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: text/html - {6afb9d0d-163f-4193-8259-993cd6ece16c} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6145\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-3-3 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-26 94880]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 0012881317100541mcinstcleanup;McAfee Application Installer Cleanup (0012881317100541);c:\windows\temp\001288~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\001288~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McMPFSvc;McAfee Personal Firewall;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-3-3 214904]
S2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-26 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-26 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
.
=============== Created Last 30 ================
.
2011-10-18 01:04:52 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{fae66c36-ba3d-4a96-bdc8-ff7d95939434}\offreg.dll
2011-10-17 22:48:37 -------- d-----w- c:\documents and settings\hp_administrator\application data\SUPERAntiSpyware.com
2011-10-17 22:47:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-17 22:47:36 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-17 20:15:58 -------- d-----w- c:\documents and settings\hp_administrator\application data\Malwarebytes
2011-10-17 20:11:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-17 20:11:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-17 20:11:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 14:07:08 -------- d-----w- c:\program files\Trend Micro
2011-10-13 13:31:25 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{fae66c36-ba3d-4a96-bdc8-ff7d95939434}\mpengine.dll
2011-10-13 13:31:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-13 12:24:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-29 11:33:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-29 11:33:39 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-20 16:05:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:39:41.17 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-24 21:33:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3200827AS rev.3.AHH
Running: tjei1t6l.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ffldapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2FF1640]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB94B0360, 0x20574D, 0xE8000020]
? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAConvbyaqtaftrhdj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Administrator\Application Data\Template\Normal.wpt 0 bytes

---- EOF - GMER 1.0.15 ----

#5 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 25 October 2011 - 03:54 AM

Hi,

Please follow the instructions in my previous post to run Combofix on the infected machine. In addition, please also run the following tool:

Please download MBRCheck and transfer to the desktop of the infected machine.
  • Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  • It will open a black window, please do not fix anything (if it gives you an option).
  • Exit that window and it will produce a log (MBRCheck_date_time).
  • Please post that log when you reply.

Please post C:\ComboFix.txt and the MBRCheck log here.

jedi

Edited by jedi, 25 October 2011 - 03:55 AM.


#6 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 25 October 2011 - 09:57 AM

ComboFix is insisting that it won't run for me unless I have "administrator" privileges. (I did rename the executable file.) I chose the "Run As" option and selected "Administrator," but ComboFix doesn't like that because that user has a blank password. I hesitate to create an admin password after so many years of operating without one ... don't want to get locked out of my own machine ... but gotta get this thing to run. Any other ideas?

(Meanwhile, MBR Check is running and I'll post that log as soon as it's done.)

#7 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 25 October 2011 - 10:42 AM

I tried to edit my windows "user" settings to give the "Administrator" user a password, as ComboFix seems to require. But that turned out to be yet another function this infection has disabled! Going to the user management panel in the Windows control panel brought up an empty box.

I did get the MBR scan to run, and here's that log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00003ffd

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 viaide.sys
0xBA5AE000 intelide.sys
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B0000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9E4E000 iaStor.sys
0xB9E36000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E16000 fltmgr.sys
0xB9E04000 sr.sys
0xBA118000 PxHelp20.sys
0xB9DED000 KSecDD.sys
0xB9D60000 Ntfs.sys
0xB9D33000 NDIS.sys
0xB9D19000 Mup.sys
0xBA148000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA288000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xBA448000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xB94B0000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB949C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9478000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA458000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9455000 \SystemRoot\system32\DRIVERS\ks.sys
0xB933C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA5FA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA460000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9314000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9CE1000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB92C9000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB9292000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA470000 \SystemRoot\system32\DRIVERS\PS2.sys
0xBA478000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA5FC000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xB9CD9000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xBA6CB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9CD5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9253000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA480000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA488000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA490000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9223000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB98A0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA498000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB91C5000 \SystemRoot\system32\DRIVERS\update.sys
0xBA544000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9890000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB611E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB623C000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB60DE000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB4FFB000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB4F41000 \SystemRoot\system32\drivers\portcls.sys
0xB5D81000 \SystemRoot\system32\drivers\drmk.sys
0xB312C000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xB3EAE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA600000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA79C000 \SystemRoot\System32\Drivers\Null.SYS
0xBA602000 \SystemRoot\System32\Drivers\Beep.SYS
0xB61FC000 \SystemRoot\System32\drivers\vga.sys
0xBA604000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA606000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB5E8F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB5E87000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB39F7000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB30F9000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB3404000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB30A0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB3079000 \SystemRoot\System32\Drivers\Mpfp.sys
0xB33F4000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB3053000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB33E4000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB39E3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA608000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xB302B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB3009000 \SystemRoot\System32\drivers\afd.sys
0xB33D4000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB2FE7000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xB5E4F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB2FBC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB2F4C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB33A4000 \SystemRoot\System32\Drivers\Fips.SYS
0xB2F28000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB2F10000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA640000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB5BAD000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3F0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7C2000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3D8000 \SystemRoot\System32\ATMFD.DLL
0xB1CFC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB140B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1382000 \SystemRoot\System32\Drivers\adfs.SYS
0xB1319000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA5F6000 \SystemRoot\System32\Drivers\MASPINT.SYS
0xB1221000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1139000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA378000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys
0xAC390000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ffldapow.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
400 C:\WINDOWS\system32\smss.exe
476 csrss.exe
504 C:\WINDOWS\system32\winlogon.exe
548 C:\WINDOWS\system32\services.exe
560 C:\WINDOWS\system32\lsass.exe
720 C:\WINDOWS\system32\svchost.exe
860 svchost.exe
904 C:\Program Files\Windows Defender\MsMpEng.exe
1012 C:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1104 svchost.exe
1192 C:\WINDOWS\system32\spoolsv.exe
1256 svchost.exe
1304 C:\Program Files\SUPERAntiSpyware\SASCore.exe
1428 C:\Program Files\Bonjour\mDNSResponder.exe
1464 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
1748 C:\Program Files\Java\jre6\bin\jqs.exe
1768 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1788 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
1824 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
1876 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1916 C:\Program Files\McAfee\MPF\MpfSrv.exe
1932 C:\WINDOWS\system32\nvsvc32.exe
1956 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
420 C:\Program Files\SiteAdvisor\6145\SAService.exe
680 svchost.exe
812 C:\WINDOWS\system32\svchost.exe
848 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1440 mcrdsvc.exe
2476 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2580 C:\WINDOWS\ehome\ehtray.exe
2596 C:\WINDOWS\RTHDCPL.EXE
2604 C:\WINDOWS\arpwrmsg.exe
2644 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2704 C:\hp\KBD\kbd.exe
2772 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2780 C:\Program Files\McAfee.com\Agent\mcagent.exe
2936 C:\Program Files\EFI\PrintMessenger\dsfhost.exe
3140 C:\WINDOWS\system32\wscntfy.exe
3160 C:\WINDOWS\system32\rundll32.exe
3540 alg.exe
3792 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
3904 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
3956 C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
3964 C:\Program Files\Microsoft Office\Office\OSA.EXE
3676 C:\WINDOWS\system\hpsysdrv.exe
2416 C:\WINDOWS\explorer.exe
3612 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3480 C:\WINDOWS\system32\notepad.exe
3440 wmiprvse.exe
2992 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`60c3a000 (FAT32)
\\.\K: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (NTFS)
\\.\M: --> \\.\PhysicalDrive5 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: ST3200827AS, Rev: 3.AHH
PhysicalDrive6 Model Number: SeagateFreeAgent Go, Rev: 0148
PhysicalDrive5 Model Number: HPExternal HDD, Rev: 2002

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB
465 GB \\.\PhysicalDrive6 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
1862 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#8 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 25 October 2011 - 05:06 PM

Hi again,

I notice from an earlier log that you have Spybot's TeaTimer running. Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

ComboFix doesn't like that because that user has a blank password. I hesitate to create an admin password after so many years of operating without one .

Can you click through leaving the password blank?
If not don't worry about Combofix for now. We'll return to it later.
I need some clarification on this:

186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB
465 GB \\.\PhysicalDrive6 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
1862 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

I'm assuming one of these is the recovery partition? What is the other one?

Can you try this:

Please read carefully and follow these steps.
  • Download TDSSKiller, extract its contents and transfer it to the infected machine's Desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

jedi

Edited by jedi, 25 October 2011 - 05:12 PM.


#9 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 25 October 2011 - 06:43 PM

I disabled Spybot S&D Teatimer and rebooted.

Tried again to get somewhere with ComboFix, but couldn't get past the admin/blank password barrier.

About my hard drives:

186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB This internally installed physical drive includes C:\ and the recovery partition D:\

465 GB \\.\PhysicalDrive6 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F External hard drive used for data storage, mapped as K:\

1862 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A External hard drive used for backup, mapped as M:\ (it backs up both C:\ and K:\)


I ran TDSS, which didn't find anything. Here's that log:

19:22:40.0968 2276 TDSS rootkit removing tool 2.6.13.0 Oct 25 2011 13:56:21
19:22:40.0968 2276 ============================================================
19:22:40.0984 2276 Current date / time: 2011/10/25 19:22:40.0968
19:22:40.0984 2276 SystemInfo:
19:22:40.0984 2276
19:22:40.0984 2276 OS Version: 5.1.2600 ServicePack: 3.0
19:22:40.0984 2276 Product type: Workstation
19:22:40.0984 2276 ComputerName: EDITOR
19:22:40.0984 2276 UserName: HP_Administrator
19:22:40.0984 2276 Windows directory: C:\WINDOWS
19:22:40.0984 2276 System windows directory: C:\WINDOWS
19:22:40.0984 2276 Processor architecture: Intel x86
19:22:40.0984 2276 Number of processors: 1
19:22:40.0984 2276 Page size: 0x1000
19:22:40.0984 2276 Boot type: Normal boot
19:22:40.0984 2276 ============================================================
19:22:43.0171 2276 Initialize success
19:22:48.0781 2344 ============================================================
19:22:48.0781 2344 Scan started
19:22:48.0781 2344 Mode: Manual;
19:22:48.0781 2344 ============================================================
19:22:49.0546 2344 Abiosdsk - ok
19:22:49.0843 2344 abp480n5 - ok
19:22:50.0250 2344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:22:50.0296 2344 ACPI - ok
19:22:50.0640 2344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:22:50.0640 2344 ACPIEC - ok
19:22:51.0109 2344 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
19:22:51.0109 2344 adfs - ok
19:22:51.0359 2344 adpu160m - ok
19:22:51.0687 2344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:22:51.0687 2344 aec - ok
19:22:52.0125 2344 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
19:22:52.0156 2344 AFD - ok
19:22:52.0718 2344 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
19:22:53.0093 2344 AgereSoftModem - ok
19:22:53.0328 2344 Aha154x - ok
19:22:53.0546 2344 aic78u2 - ok
19:22:53.0828 2344 aic78xx - ok
19:22:54.0187 2344 AliIde - ok
19:22:54.0578 2344 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
19:22:54.0578 2344 AmdK8 - ok
19:22:54.0828 2344 amsint - ok
19:22:55.0156 2344 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
19:22:55.0156 2344 aracpi - ok
19:22:55.0718 2344 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
19:22:55.0734 2344 arhidfltr - ok
19:22:56.0265 2344 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
19:22:56.0265 2344 arkbcfltr - ok
19:22:56.0593 2344 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
19:22:56.0593 2344 armoucfltr - ok
19:22:56.0921 2344 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:22:56.0921 2344 Arp1394 - ok
19:22:57.0359 2344 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
19:22:57.0359 2344 ARPolicy - ok
19:22:57.0640 2344 asc - ok
19:22:57.0921 2344 asc3350p - ok
19:22:58.0187 2344 asc3550 - ok
19:22:58.0562 2344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:22:58.0578 2344 AsyncMac - ok
19:22:58.0906 2344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:22:58.0906 2344 atapi - ok
19:22:59.0187 2344 Atdisk - ok
19:22:59.0593 2344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:22:59.0609 2344 Atmarpc - ok
19:22:59.0921 2344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:22:59.0921 2344 audstub - ok
19:23:00.0187 2344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:23:00.0203 2344 Beep - ok
19:23:00.0625 2344 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
19:23:00.0640 2344 BVRPMPR5 - ok
19:23:00.0875 2344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:23:00.0875 2344 cbidf2k - ok
19:23:01.0156 2344 cd20xrnt - ok
19:23:01.0546 2344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:23:01.0562 2344 Cdaudio - ok
19:23:01.0859 2344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:23:01.0875 2344 Cdfs - ok
19:23:02.0234 2344 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:23:02.0250 2344 Cdrom - ok
19:23:02.0671 2344 Changer - ok
19:23:02.0921 2344 CmdIde - ok
19:23:03.0140 2344 Cpqarray - ok
19:23:03.0421 2344 dac2w2k - ok
19:23:03.0734 2344 dac960nt - ok
19:23:04.0093 2344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:23:04.0093 2344 Disk - ok
19:23:04.0687 2344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:23:04.0890 2344 dmboot - ok
19:23:05.0171 2344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:23:05.0218 2344 dmio - ok
19:23:05.0453 2344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:23:05.0453 2344 dmload - ok
19:23:05.0843 2344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:23:05.0843 2344 DMusic - ok
19:23:06.0078 2344 dpti2o - ok
19:23:06.0312 2344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:23:06.0312 2344 drmkaud - ok
19:23:06.0796 2344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:23:06.0828 2344 Fastfat - ok
19:23:07.0093 2344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:23:07.0093 2344 Fdc - ok
19:23:07.0406 2344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:23:07.0421 2344 Fips - ok
19:23:07.0875 2344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:23:07.0875 2344 Flpydisk - ok
19:23:08.0187 2344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:23:08.0250 2344 FltMgr - ok
19:23:08.0515 2344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:23:08.0515 2344 Fs_Rec - ok
19:23:08.0921 2344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:23:08.0984 2344 Ftdisk - ok
19:23:09.0281 2344 ftsata2 - ok
19:23:09.0562 2344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:23:09.0578 2344 Gpc - ok
19:23:10.0000 2344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:23:10.0000 2344 HDAudBus - ok
19:23:10.0328 2344 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:23:10.0328 2344 HidUsb - ok
19:23:10.0593 2344 hpn - ok
19:23:11.0031 2344 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:23:11.0093 2344 HTTP - ok
19:23:11.0359 2344 i2omgmt - ok
19:23:11.0593 2344 i2omp - ok
19:23:11.0984 2344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:23:11.0984 2344 i8042prt - ok
19:23:12.0500 2344 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:23:12.0734 2344 iaStor - ok
19:23:13.0109 2344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:23:13.0125 2344 Imapi - ok
19:23:13.0359 2344 ini910u - ok
19:23:14.0703 2344 IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:23:14.0734 2344 IntcAzAudAddService - ok
19:23:15.0156 2344 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:23:15.0171 2344 IntelIde - ok
19:23:15.0437 2344 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:23:15.0453 2344 intelppm - ok
19:23:15.0750 2344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:23:15.0765 2344 Ip6Fw - ok
19:23:16.0125 2344 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:23:16.0140 2344 IpFilterDriver - ok
19:23:16.0406 2344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:23:16.0421 2344 IpInIp - ok
19:23:16.0718 2344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:23:16.0750 2344 IpNat - ok
19:23:17.0140 2344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:23:17.0156 2344 IPSec - ok
19:23:17.0421 2344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:23:17.0421 2344 IRENUM - ok
19:23:17.0765 2344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:23:17.0765 2344 isapnp - ok
19:23:18.0187 2344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:23:18.0187 2344 Kbdclass - ok
19:23:18.0531 2344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:23:18.0531 2344 kmixer - ok
19:23:18.0859 2344 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:23:18.0875 2344 KSecDD - ok
19:23:19.0234 2344 lbrtfdc - ok
19:23:19.0500 2344 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
19:23:19.0500 2344 MASPINT - ok
19:23:19.0781 2344 MBAMSwissArmy - ok
19:23:20.0187 2344 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
19:23:20.0203 2344 mferkdk - ok
19:23:20.0562 2344 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
19:23:20.0562 2344 mfesmfk - ok
19:23:20.0859 2344 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:23:20.0859 2344 MHNDRV - ok
19:23:21.0250 2344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:23:21.0250 2344 mnmdd - ok
19:23:21.0593 2344 MOBKFilter (e896775837a8bce436348df460522394) C:\WINDOWS\system32\DRIVERS\MOBK.sys
19:23:21.0609 2344 MOBKFilter - ok
19:23:21.0921 2344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:23:21.0937 2344 Modem - ok
19:23:22.0359 2344 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
19:23:22.0359 2344 motccgp - ok
19:23:22.0718 2344 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
19:23:22.0718 2344 motccgpfl - ok
19:23:23.0000 2344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:23:23.0015 2344 Mouclass - ok
19:23:23.0406 2344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:23:23.0421 2344 mouhid - ok
19:23:23.0687 2344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:23:23.0703 2344 MountMgr - ok
19:23:24.0015 2344 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
19:23:24.0015 2344 MPFP - ok
19:23:24.0390 2344 mraid35x - ok
19:23:24.0718 2344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:23:24.0765 2344 MRxDAV - ok
19:23:25.0296 2344 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:23:25.0437 2344 MRxSmb - ok
19:23:25.0781 2344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:23:25.0781 2344 Msfs - ok
19:23:26.0078 2344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:23:26.0093 2344 MSKSSRV - ok
19:23:26.0515 2344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:23:26.0515 2344 MSPCLOCK - ok
19:23:26.0843 2344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:23:26.0843 2344 MSPQM - ok
19:23:27.0093 2344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:23:27.0109 2344 mssmbios - ok
19:23:27.0531 2344 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:23:27.0562 2344 Mup - ok
19:23:27.0906 2344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:23:27.0953 2344 NDIS - ok
19:23:28.0437 2344 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:23:28.0437 2344 NdisTapi - ok
19:23:28.0734 2344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:23:28.0734 2344 Ndisuio - ok
19:23:29.0140 2344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:23:29.0156 2344 NdisWan - ok
19:23:29.0593 2344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:23:29.0609 2344 NDProxy - ok
19:23:29.0984 2344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:23:29.0984 2344 NetBIOS - ok
19:23:30.0515 2344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:23:30.0562 2344 NetBT - ok
19:23:30.0890 2344 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:23:30.0906 2344 NIC1394 - ok
19:23:31.0203 2344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:23:31.0203 2344 Npfs - ok
19:23:31.0718 2344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:23:31.0875 2344 Ntfs - ok
19:23:32.0156 2344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:23:32.0156 2344 Null - ok
19:23:33.0453 2344 nv (ce58f42b11be20a47c3d8d2f38da254e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:23:34.0453 2344 nv - ok
19:23:34.0750 2344 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
19:23:34.0765 2344 NVENETFD - ok
19:23:35.0031 2344 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
19:23:35.0031 2344 nvnetbus - ok
19:23:35.0406 2344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:23:35.0406 2344 NwlnkFlt - ok
19:23:35.0718 2344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:23:35.0734 2344 NwlnkFwd - ok
19:23:36.0015 2344 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:23:36.0031 2344 ohci1394 - ok
19:23:36.0390 2344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:23:36.0406 2344 Parport - ok
19:23:36.0656 2344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:23:36.0671 2344 PartMgr - ok
19:23:37.0218 2344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:23:37.0234 2344 ParVdm - ok
19:23:37.0765 2344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:23:37.0781 2344 PCI - ok
19:23:38.0078 2344 PCIDump - ok
19:23:38.0656 2344 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:23:38.0656 2344 PCIIde - ok
19:23:39.0078 2344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:23:39.0109 2344 Pcmcia - ok
19:23:39.0500 2344 PDCOMP - ok
19:23:39.0765 2344 PDFRAME - ok
19:23:40.0031 2344 PDRELI - ok
19:23:40.0281 2344 PDRFRAME - ok
19:23:40.0671 2344 perc2 - ok
19:23:40.0968 2344 perc2hib - ok
19:23:41.0359 2344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:23:41.0359 2344 PptpMiniport - ok
19:23:41.0796 2344 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:23:41.0812 2344 Processor - ok
19:23:42.0203 2344 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
19:23:42.0203 2344 Ps2 - ok
19:23:42.0640 2344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:23:42.0640 2344 PSched - ok
19:23:42.0968 2344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:23:42.0968 2344 Ptilink - ok
19:23:43.0265 2344 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:23:43.0281 2344 PxHelp20 - ok
19:23:43.0593 2344 ql1080 - ok
19:23:43.0812 2344 Ql10wnt - ok
19:23:44.0328 2344 ql12160 - ok
19:23:44.0718 2344 ql1240 - ok
19:23:44.0953 2344 ql1280 - ok
19:23:45.0265 2344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:23:45.0265 2344 RasAcd - ok
19:23:45.0703 2344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:23:45.0718 2344 Rasl2tp - ok
19:23:45.0968 2344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:23:45.0984 2344 RasPppoe - ok
19:23:46.0281 2344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:23:46.0281 2344 Raspti - ok
19:23:46.0781 2344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:23:46.0812 2344 Rdbss - ok
19:23:47.0078 2344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:23:47.0078 2344 RDPCDD - ok
19:23:47.0390 2344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:23:47.0437 2344 rdpdr - ok
19:23:47.0828 2344 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:23:47.0859 2344 RDPWD - ok
19:23:48.0171 2344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:23:48.0187 2344 redbook - ok
19:23:48.0515 2344 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:23:48.0531 2344 rtl8139 - ok
19:23:48.0734 2344 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
19:23:48.0734 2344 SASDIFSV - ok
19:23:48.0781 2344 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
19:23:48.0781 2344 SASKUTIL - ok
19:23:49.0140 2344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:23:49.0140 2344 Secdrv - ok
19:23:49.0515 2344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:23:49.0531 2344 Serial - ok
19:23:49.0937 2344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:23:49.0937 2344 Sfloppy - ok
19:23:50.0171 2344 Simbad - ok
19:23:50.0421 2344 Sparrow - ok
19:23:50.0843 2344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:23:50.0843 2344 splitter - ok
19:23:51.0203 2344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:23:51.0218 2344 sr - ok
19:23:51.0750 2344 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:23:51.0828 2344 Srv - ok
19:23:52.0203 2344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:23:52.0203 2344 swenum - ok
19:23:52.0546 2344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:23:52.0546 2344 swmidi - ok
19:23:52.0953 2344 symc810 - ok
19:23:53.0218 2344 symc8xx - ok
19:23:53.0312 2344 SYMIDSCO - ok
19:23:53.0593 2344 sym_hi - ok
19:23:53.0953 2344 sym_u3 - ok
19:23:54.0250 2344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:23:54.0250 2344 sysaudio - ok
19:23:54.0687 2344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:23:54.0890 2344 Tcpip - ok
19:23:55.0218 2344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:23:55.0218 2344 TDPIPE - ok
19:23:55.0515 2344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:23:55.0515 2344 TDTCP - ok
19:23:55.0875 2344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:23:55.0953 2344 TermDD - ok
19:23:56.0234 2344 TosIde - ok
19:23:56.0562 2344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:23:56.0578 2344 Udfs - ok
19:23:56.0937 2344 ultra - ok
19:23:57.0312 2344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:23:57.0406 2344 Update - ok
19:23:57.0718 2344 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:23:57.0718 2344 usbehci - ok
19:23:58.0125 2344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:23:58.0140 2344 usbhub - ok
19:23:58.0375 2344 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:23:58.0375 2344 usbohci - ok
19:23:58.0687 2344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:23:58.0687 2344 usbscan - ok
19:23:59.0156 2344 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:23:59.0156 2344 usbstor - ok
19:23:59.0453 2344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:23:59.0453 2344 usbuhci - ok
19:23:59.0750 2344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:23:59.0750 2344 VgaSave - ok
19:24:00.0156 2344 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:24:00.0156 2344 ViaIde - ok
19:24:00.0421 2344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:24:00.0437 2344 VolSnap - ok
19:24:00.0843 2344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:24:00.0843 2344 Wanarp - ok
19:24:01.0375 2344 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
19:24:01.0515 2344 Wdf01000 - ok
19:24:01.0765 2344 WDICA - ok
19:24:02.0140 2344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:24:02.0140 2344 wdmaud - ok
19:24:02.0296 2344 MBR (0x1B8) (d11c727e03bb7318dcda069b06e652f0) \Device\Harddisk0\DR0
19:24:02.0328 2344 \Device\Harddisk0\DR0 - ok
19:24:02.0328 2344 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk5\DR7
19:24:02.0343 2344 \Device\Harddisk5\DR7 - ok
19:24:02.0343 2344 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk6\DR8
19:24:02.0359 2344 \Device\Harddisk6\DR8 - ok
19:24:02.0375 2344 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk7\DR9
19:24:03.0250 2344 \Device\Harddisk7\DR9 - ok
19:24:03.0281 2344 Boot (0x1200) (e981c7599c381b16bff8e92fc5db63d0) \Device\Harddisk0\DR0\Partition0
19:24:03.0281 2344 \Device\Harddisk0\DR0\Partition0 - ok
19:24:03.0281 2344 Boot (0x1200) (9208b09be40216bd24f5e6d0884e24b0) \Device\Harddisk0\DR0\Partition1
19:24:03.0281 2344 \Device\Harddisk0\DR0\Partition1 - ok
19:24:03.0296 2344 Boot (0x1200) (69471107fc2e6fdb57db3b41e05939d1) \Device\Harddisk5\DR7\Partition0
19:24:03.0296 2344 \Device\Harddisk5\DR7\Partition0 - ok
19:24:03.0296 2344 Boot (0x1200) (48759653e58f35debfa503fa01b4f44c) \Device\Harddisk6\DR8\Partition0
19:24:03.0312 2344 \Device\Harddisk6\DR8\Partition0 - ok
19:24:03.0312 2344 Boot (0x1200) (868e01db2a314355d1fcead4ac49c585) \Device\Harddisk7\DR9\Partition0
19:24:03.0312 2344 \Device\Harddisk7\DR9\Partition0 - ok
19:24:03.0312 2344 ============================================================
19:24:03.0312 2344 Scan finished
19:24:03.0312 2344 ============================================================
19:24:03.0328 2832 Detected object count: 0
19:24:03.0328 2832 Actual detected object count: 0

#10 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 26 October 2011 - 01:59 AM

Hi again,

186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB This internally installed physical drive includes C:\ and the recovery partition D:\

Is there any reason you know of why this drive would have a non-standard MBR, rather than the default XP one?

I note from your earlier post you have used Defogger to disable emulation software, I'm assuming that's still the case?

Returning to Combofix, can you run it via Task Manager?

Open Task Manager by pressing the Ctrl Alt and Del keys, at the same time.

In the menu at the top of the dialog box, click File>New Task (Run...)

Copy/paste (or type) the following in the Run box and click OK.

"%userprofile%\desktop\combofix.exe"

Does this work?

jedi

#11 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 26 October 2011 - 03:39 PM

I don't know of any reason for any change to the MBR beyond the standard Win XP that came with the box. (My knowledge of such things is rudimentary: I don't guess it would be affected by such things as editing the boot sequence -- I installed an old floppy disk drive years ago thinking I might need it occasionally -- or by installing drivers for my two USB external hard-drives.)

CD emulation software should remain disabled. At least, I didn't "re-fog" with "DeFogger."

I tried to run ComboFix through Task Manager as you suggested; once I figured out a path that it would recognize (had to go back to the root: C:\users\HP_administrator\desktop\UnnamedSoftware.exe) it ran, just as it did before, but before creating the log it popped up the same message ("Not Admin!! You need Administrative privileges to run this tool") that I'd gotten by running it from the desktop icon.

I got the bright idea of trying to log in with the actual "Administrator" user name; "HP_administrator" is not considered the actual "admin" user, apparently. It's a name I picked when XP required me to create a username when the box was new. But of course the control panel's Users directory is disabled, so that was a dead end.

Is there a way to pause ComboFix, and grab the green type that runs in its black window, before it throws that Administrator error, and get useful data that way?

Edited by ncbeachcomber, 26 October 2011 - 03:42 PM.


#12 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 28 October 2011 - 04:08 AM

Hi again,

OK, run MBRCheck again, when you reach this point:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options

follow the prompts to restore the default XP MBR on this drive - 186 GB \\.\PhysicalDrive0. If you run into any problems let me know.

There's no way I know to do this:

Is there a way to pause ComboFix, and grab the green type that runs in its black window, before it throws that Administrator error, and get useful data that way?


Seeing as we're having trouble getting tools to run from within Windows I think we should scan from a bootable rescue disk. We've recently had good results using Kaspersky Rescue Disk 10. Please read through this:
http://support.kaspersky.com/faq/?qid=208282484
or if it's easier for you to use a flash-drive, see here:
http://support.kaspersky.com/viruses/rescuedisk/main?qid=208282163
When you're confident you understand the process please do the following:

The Kaspersky Rescue Disk 10 is a bootable CD based version of Kaspersky Antivirus.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Download the Kaspersky Rescue Disk:
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/.
  • The download is in ISO format. Right click and 'Open with' a disk burning program. You'll probably have Windows Disk Image Burner available. If so just put a blank CD in the drive and click 'Burn'.
  • Burn the Kaspersky Rescue Disk ISO image to CD.
  • Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  • These directions may be for an older version and may not apply
    • Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
    • Select your language (or wait a few seconds for the default English to load).
    • Your screen may go blank for several minutes while the program loads.
    • After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
      • Click the Update tab to view the update progress.
      • When the update has completed, click the Scan tab.
    • Place a checkmark in all the available drives to scan the entire system.
    • Click the "Security level" option, and select options.
      • Make sure "All Files" is selected
      • Under "Scan of compound files" ensure all options are selected and click the OK button.
    • Click the "On threat detection" option
      • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".
    • Click the "Start scan" button.
    • When the scan has completed, click the Reports button.
      • Click the Save button, and select your System drive (normally your C: drive)
      • In the "File name" box, name the file krd-log and click the Save button.
      • Click Close to close the Reports window.
    • Click the Exit button to close the Rescue Disk program and confirm.
      In the lower left of the screen, left-click the red K button, select Logout, and confirm.
  • The computer will shut down.
  • Restart the computer and reboot normally.
  • Please post the log (krd-log.txt) in your next reply.

The scan process will be the same if you run it from a flash-drive. Please note these instructions may be slightly outdated, but the tool is easy to use and I have it on my own flash-drive so if you have any questions I should be able to answer them.

jedi

#13 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 28 October 2011 - 02:15 PM

I ran MBRCheck again and told it to restore the master boot record of the drive that contains the operating system and the restore partition. It seemed to be working, but when I ran it again to be sure, it still showed a non-standard MBR. Tried it a couple more times, with the "Default (XP)" option, then with the non-default "XP" option (just in case there was any difference) but it didn't seem to make a difference.

So that's another dead end.

The good news is that, after wasting time on a blind alley creating a bootable flash drive with the Kaspersky software (stupid BIOS doesn't have any discernable way to designate a removable drive as a boot option) I put it on a CD, booted from that, and it's now running. Some of the options seemed a little different from your instructions, but it is doing a thorough scan on all disk drives. Predicting another 11 hours or so to completion, but I'll post the results as soon as I have something.

#14 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 PM

Posted 28 October 2011 - 03:16 PM

Some good news at least. OK, post the results when you have them.

jedi

#15 ncbeachcomber

ncbeachcomber
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 28 October 2011 - 04:29 PM

The scan is now into the backup drives, and predicting just four hours to finish.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users