Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.O on Windows 7 32 ultimate after many scans


  • This topic is locked This topic is locked
25 replies to this topic

#1 guitarsavvy

guitarsavvy

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 November 2011 - 07:54 AM

Hello, my name is Dave and I have Sirefef.O .
"Hello Dave."

The current symptoms that remain are that malwarebytes and dr.web terminate when they are used to scan while not in safe mode, and afterwards will not open without reinstallation.

After running the programs below, windows defender no longer identifies sirefef.b however it still repeatedly detects sirefef.o and still cannot fix it.

I have run all of these programs repeatedly in both safe mode and in the normal startup mode.

rkill,
tdsskiller,
antizeroaccess,
malwarebytes,
drweb (free and full)
stopzilla,

I have also run defogger in the normal startup mode.

Below I will go through the results of each program as I remember. Once again, before running the programs, windows defender detected sirefef.b and sirefef.o. Now it detects sirefef.o only.

Rkill has not logged anything similar to the other programs when run.
Tdsskiller used to find malicious software, then it found two things that it was comfortable skipping, and now tdsskiller finds one suspicous object that it recommends skipping. It is mcdbus and is located at c:\Windows\system32\DRIVERS\mcdbus.sys.

In safe mode, antizeroaccess found many threats but was unable to fix them because it said that the driver was not loaded. In the normal boot mode, antizeroaccess was able to load the driver and fix many problems. Now when antizeroaccess is run it does not detect any problems but "errors occur." I don't know what these errors are, or why they occur. The only reason that I can think of that may be a cause of these errors is because I had scratched my hard drive to the extent that the computer would always freeze at the user selection screen. A friend helped me to confine the data so that it was not read. I'm very unsure of how exactly he fixed that issue, or if it's the reason antizeroaccess is reporting errors.

I was able to uninstall malwarebytes (which I did because of the aforementioned issue, which also happened to avg - my original antivirus) reinstall malwarebytes in safemode, and malwarebytes successfully scanned in safe mode. Malwarebytes quarantined three obscure items that I don't believe had anything to do with the virus (because they have been on my computer for months, whereas the sirefef virus instantly took effect a few days ago when I downloaded a keygen - of course for a program which I had full rights to but lost the key for).

Dr.Web free identified malicious software and suggested that I should get a free trial of dr.web to do a full scan. I downloaded and installed the dr.web full free trial in safemode, however at the last second it abruptly uninstalled at the end of the installation. In normal boot mode (apologies if there's a clearer term for this mode), Dr.Web full installed properly and began its immediate automatic scan. I don't know if this is supposed to be a quick scan but I don't think so. The scan took less than a minute, scanned twenty items, and didn't find anything. I clicked on full scan and it failed, similarly to malwarebytes. Now when I open dr.web and scan, it instantly fails.

Stopzilla setup, which I renamed as instructed to iexplorer.exe, downloaded the update and stopped every time it was opened in safe mode. In the normal boot mode, stopzilla downloaded its update and began to install but randomly stopped and told me to restart. I restarted and it opened again and resumed before again stopping and telling me to restart.

At this point, the symptoms of redirecting websites, fraudulently requesting that I allow windows firewall to unblock some feature of nearly every program I open, having to manually close and restart explorer.exe every time I boot up, and the virus randomly restarting my computer are probably entirely gone.

One last potentially interesting piece of information is that I spotted the virus on the task manager at one point although I could not end it or open its location. It appeared as 4244293154:371150571.exe (I may have missed a character when writing this down. Windows defender has a 1 inserted as the 4th character from the end.) This shows up under the details of the windows defender's analysis of Sirefef.O and is located at C:\Windows\4244293154:3711501571.exe

Any consideration or suggestions would be greatly appreciated.
Thanks,
-Dave

In creating the gmer file, the program closed when I clicked on scan, similarly to the antivirus/antimalware programs. Now when I click on the application it cannot be opened and the message is exactly the same when I click on an installed malwarebytes. It reads: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This message appears even when the program is run as an administrator.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by sean at 5:58:14 on 2011-11-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2002.756 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\4244293154:3711501571.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\o2flash.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\conhost.exe
C:\Windows\VM331_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\DrWeb\dwservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\sean\Downloads\tdsskiller.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\windows defender\MpCmdRun.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
uWinlogon: Shell=c:\users\sean\appdata\local\22c6fafc\X
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [PMCallCenter] "c:\program files\prettymay call center for skype\PMCallCenter.exe"
uRun: [Facebook Update] "c:\users\sean\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [CSRSkype] c:\program files\csr\bluetooth feature pack 5.0\CSRSkype.exe
mRun: [ConMgr] "c:\program files\csr\bluetooth feature pack 5.0\ConMgr.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [<NO NAME>]
mRun: [FjStrtAp] c:\program files\fujitsu\utils\FjStrtAp.exe
mRun: [331BigDog] c:\windows\VM331_STI.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\sean\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\sean\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\sean\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5D11C7BC-648F-4176-A7AA-6A29DBEA07EE} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5D11C7BC-648F-4176-A7AA-6A29DBEA07EE}\34F4D402055726C6963602143636563737 : DhcpNameServer = 10.16.200.23 10.16.200.49
TCP: Interfaces\{5D11C7BC-648F-4176-A7AA-6A29DBEA07EE}\54E45425749584146554E4 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5D11C7BC-648F-4176-A7AA-6A29DBEA07EE}\E4568747B65697 : DhcpNameServer = 199.88.85.7
TCP: Interfaces\{82888EF3-3CCA-4B0B-A18A-008D00FB375A} : DhcpNameServer = 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sean\appdata\roaming\mozilla\firefox\profiles\sbnlq9v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.src=ym&.intl=us
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\sean\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(extentions.y2layers.installId, 373e7582-7809-4941-8ac3-7d8d83ddc675
.
============= SERVICES / DRIVERS ===============
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2011-9-26 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\atservice.exe [2011-11-1 1172728]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-1 366152]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2011-4-15 65536]
R2 VFPRadioSupportService;Bluetooth Feature Support;c:\program files\csr\bluetooth feature pack 5.0\VFPRadioSupportService.exe [2009-8-20 111488]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtndrv.sys [2003-6-20 11392]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2010-2-15 5632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-1 22216]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-2-5 47448]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-3-12 41560]
R3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\drivers\vm331avs.sys [2010-2-15 972032]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
R4 DrWebAVService;Dr.Web Control Service;c:\program files\drweb\dwservice.exe --loglevel=inf --logfile="c:\programdata\doctor web\logs\dwservice.log" --> c:\program files\drweb\dwservice.exe --loglevel=inf --logfile=c:\programdata\doctor web\logs\dwservice.log [?]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-1 41272]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2011-9-26 61328]
S1 puqgaxmk;puqgaxmk;c:\windows\system32\drivers\puqgaxmk.sys [2011-11-1 41680]
S1 sipstrho;sipstrho;c:\windows\system32\drivers\sipstrho.sys [2011-11-1 41680]
S1 ysckhvof;ysckhvof;c:\windows\system32\drivers\ysckhvof.sys [2011-11-1 41680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-9-8 94880]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 372736]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-6-24 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]
S3 HPMo4DE3;Mouse Suite Driver_4DE3 (WDF Version);c:\windows\system32\drivers\HPMo4DE3.sys [2011-6-24 20992]
S3 HPub4DE3;USB Mouse Low Filter Driver_4DE3 (WDF Version);c:\windows\system32\drivers\HPub4DE3.sys [2011-6-24 13824]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-24 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-24 52224]
S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-2 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
SUnknown ogxjeknd;ogxjeknd; [x]
SUnknown rtjmdqqy;rtjmdqqy; [x]
.
=============== Created Last 30 ================
.
2011-11-01 11:50:50 41680 ----a-w- c:\windows\system32\drivers\ysckhvof.sys
2011-11-01 11:50:50 41680 ----a-w- c:\windows\system32\drivers\sipstrho.sys
2011-11-01 11:47:27 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 11:46:29 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f28a70e0-0e94-4dd7-a910-51b592b4571b}\offreg.dll
2011-11-01 11:32:17 -------- d-----w- c:\users\sean\Doctor Web
2011-11-01 11:29:01 -------- d-----w- c:\program files\common files\Doctor Web
2011-11-01 11:28:26 -------- d-----w- c:\program files\DrWeb
2011-11-01 11:23:44 41680 ----a-w- c:\windows\system32\drivers\puqgaxmk.sys
2011-11-01 11:22:02 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f28a70e0-0e94-4dd7-a910-51b592b4571b}\mpengine.dll
2011-11-01 10:38:31 -------- d-----w- c:\programdata\STOPzilla!
2011-11-01 10:38:31 -------- d-----w- c:\program files\STOPzilla!
2011-11-01 10:38:31 -------- d-----w- c:\program files\common files\iS3
2011-11-01 10:35:33 -------- d-----w- c:\programdata\Doctor Web
2011-11-01 10:18:42 17328 ----a-w- c:\windows\system32\agrsmsvc.exe
2011-11-01 10:12:29 -------- d-----w- c:\users\sean\appdata\local\Downloaded Installations
2011-11-01 09:53:48 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-01 09:49:37 -------- d-----w- c:\users\sean\DoctorWeb
2011-11-01 09:33:17 48016 --sha-w- c:\windows\system32\c_29354.nl_
2011-11-01 09:33:08 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-01 09:21:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-01 09:15:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-01 06:59:39 -------- d-----w- c:\users\sean\appdata\roaming\Malwarebytes
2011-11-01 06:59:30 -------- d-----w- c:\programdata\Malwarebytes
2011-10-29 01:17:36 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-10-29 01:17:36 480720 ----a-r- c:\windows\system32\SZBase5.dll
2011-10-29 01:17:36 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-10-29 01:17:36 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-10-29 01:17:36 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-10-29 01:17:34 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-10-29 01:17:34 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-10-29 01:17:34 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-10-29 01:17:34 456144 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-10-29 01:17:34 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-10-29 01:17:34 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-10-29 01:17:34 103888 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-10-27 10:03:28 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-27 09:12:35 227328 ----a-w- c:\users\sean\taskmgr.exe
2011-10-27 09:12:34 -------- d-sh--w- c:\users\sean\appdata\local\22c6fafc
2011-10-27 08:57:30 -------- d-----w- c:\programdata\Video Strip Poker Supreme
.
==================== Find3M ====================
.
2011-11-01 11:17:12 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2011-11-01 10:18:42 36352 ----a-w- c:\windows\system32\drivers\netbios.sys
2011-11-01 10:15:09 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2011-10-09 06:09:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 12:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-26 19:21:00 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2011-09-26 19:21:00 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2011-09-07 03:40:44 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-25 02:31:03 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-08-17 00:48:30 59080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2011-03-30 01:04:54 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 6:02:17.50 ===============

Edited by guitarsavvy, 01 November 2011 - 08:17 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 05 November 2011 - 08:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your logs indicate that a ZeroAccess infection is present on your computer:

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\4244293154
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Please post the log and wait for further instructions.

#3 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 06 November 2011 - 06:35 AM

DummyCreator by Farbar
Ran by sean (administrator) on 06-11-2011 at 03:34:20
**************************************************************

C:\WINDOWS\4244293154 [06-11-2011 03:34:20]

== End of log ==

#4 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 06 November 2011 - 06:53 AM

Thanks for the help, nasdaq!

I have two immediate concerns that I think I should address before continuing. I don't know if the dummycreator worked properly and if I should continue.

I have not run combofix yet because the save option when downloading using the firefox browser automatically downloaded combofix into the downloads folder. I'm concerned that the integrity of the program has been compromised. I dragged it to the desktop but have not run it.

Can you please tell me which browser to use to download combofix so that I can save it directly to the desktop and if it will even work now that I have made this error.

Apologizes for the confusion.

Thanks!

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 06 November 2011 - 09:53 AM

I don't know if the dummycreator worked properly and if I should continue.

You should be good to continue.

I have not run combofix yet because the save option when downloading using the firefox browser automatically downloaded combofix into the downloads folder.


Go to the Downloaded folder, right click on the ComboFix file and use the copy function.

Navigate to your desktop and paste the copy of the file.

Run it from there.

Post the log.

#6 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 06 November 2011 - 06:18 PM

ComboFix 11-11-06.02 - sean 11/06/2011 14:47:39.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2002.1359 [GMT -8:00]
Running from: c:\users\sean\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\sean\AppData\Local\22c6fafc\U
c:\users\sean\AppData\Local\22c6fafc\U\80000000.@
c:\users\sean\AppData\Local\22c6fafc\U\800000cb.@
c:\users\sean\AppData\Roaming\mIRC\logs\status.log
c:\users\sean\Favorites\Thumbs.db
c:\users\sean\Taskmgr.exe
c:\windows\$NtUninstallKB10181$\1132034431
c:\windows\$NtUninstallKB10181$\583465724\@
c:\windows\$NtUninstallKB10181$\583465724\L\xadqgnnk
c:\windows\$NtUninstallKB10181$\583465724\loader.tlb
c:\windows\$NtUninstallKB10181$\583465724\U\@00000001
c:\windows\$NtUninstallKB10181$\583465724\U\@000000c0
c:\windows\$NtUninstallKB10181$\583465724\U\@000000cb
c:\windows\$NtUninstallKB10181$\583465724\U\@000000cf
c:\windows\$NtUninstallKB10181$\583465724\U\@80000000
c:\windows\$NtUninstallKB10181$\583465724\U\@800000c0
c:\windows\$NtUninstallKB10181$\583465724\U\@800000cb
c:\windows\$NtUninstallKB10181$\583465724\U\@800000cf
c:\windows\4244293154
c:\windows\7Loader.TAG
c:\windows\system32\
c:\windows\system32\c_29354.nls
c:\windows\system32\system
c:\windows\$NtUninstallKB10181$ . . . . Failed to delete
.
c:\windows\system32\drivers\tosrfcom.sys . . . is infected!!
.
Infected copy of c:\progra~1\mcafee\SITEAD~1\mcsacore.exe was found and disinfected
Restored copy from - c:\progra~1\McAfee\SITEAD~1\
.
c:\windows\system32\o2flash.exe . . . is infected!!
c:\windows\system32\o2flash.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE was found and disinfected
Restored copy from - c:\program files\Common Files\microsoft shared\Source Engine\
.
Infected copy of c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe was found and disinfected
Restored copy from - c:\program files\Microsoft SQL Server\90\Shared\
.
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe . . . is infected!!
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Steam\SteamService.exe . . . is infected!!
c:\program files\Common Files\Steam\SteamService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe was found and disinfected
Restored copy from - c:\program files\Toshiba\Bluetooth Toshiba Stack\
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\program files\Common Files\microsoft shared\Windows Live\
.
.
((((((((((((((((((((((((( Files Created from 2011-10-06 to 2011-11-06 )))))))))))))))))))))))))))))))
.
.
2011-11-06 23:07 . 2011-11-06 23:10 -------- d-----w- c:\users\sean\AppData\Local\temp
2011-11-06 23:07 . 2011-11-06 23:07 -------- d-----w- c:\users\postgres\AppData\Local\temp
2011-11-06 23:07 . 2011-11-06 23:07 -------- d-----w- c:\users\postgres.MINE\AppData\Local\temp
2011-11-06 23:07 . 2011-11-06 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-06 23:07 . 2011-11-06 23:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-11-06 23:06 . 2011-11-06 23:06 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-11-06 22:42 . 2011-11-06 22:42 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F28A70E0-0E94-4DD7-A910-51B592B4571B}\offreg.dll
2011-11-06 22:37 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-01 11:32 . 2011-11-01 11:32 -------- d-----w- c:\users\sean\Doctor Web
2011-11-01 11:29 . 2011-11-01 11:29 -------- d-----w- c:\program files\Common Files\Doctor Web
2011-11-01 11:28 . 2011-11-06 11:37 -------- d-----w- c:\program files\DrWeb
2011-11-01 11:22 . 2011-10-18 09:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F28A70E0-0E94-4DD7-A910-51B592B4571B}\mpengine.dll
2011-11-01 10:38 . 2011-11-06 22:21 -------- d-----w- c:\programdata\STOPzilla!
2011-11-01 10:38 . 2011-11-01 10:38 -------- d-----w- c:\program files\Common Files\iS3
2011-11-01 10:35 . 2011-11-01 11:45 -------- d-----w- c:\programdata\Doctor Web
2011-11-01 10:18 . 2011-11-01 10:18 17328 ----a-w- c:\windows\system32\agrsmsvc.exe
2011-11-01 10:12 . 2011-11-01 10:12 -------- d-----w- c:\users\sean\AppData\Local\Downloaded Installations
2011-11-01 09:53 . 2011-11-01 09:53 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-01 09:49 . 2011-11-01 09:49 -------- d-----w- c:\users\sean\DoctorWeb
2011-11-01 09:33 . 2011-11-06 11:38 48016 --sha-w- c:\windows\system32\c_29354.nl_
2011-11-01 09:33 . 2011-11-01 09:33 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-01 09:21 . 2011-11-06 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-01 09:15 . 2011-11-01 11:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-01 06:59 . 2011-11-01 06:59 -------- d-----w- c:\users\sean\AppData\Roaming\Malwarebytes
2011-11-01 06:59 . 2011-11-01 06:59 -------- d-----w- c:\programdata\Malwarebytes
2011-10-27 10:03 . 2011-10-27 10:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-27 09:12 . 2011-11-06 22:59 -------- d-sh--w- c:\users\sean\AppData\Local\22c6fafc
2011-10-27 08:57 . 2011-10-27 09:04 -------- d-----w- c:\programdata\Video Strip Poker Supreme
2011-10-26 22:09 . 2011-10-26 22:09 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-01 11:17 . 2009-07-13 23:11 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2011-11-01 10:18 . 2009-07-13 23:53 36352 ----a-w- c:\windows\system32\drivers\netbios.sys
2011-11-01 10:15 . 2011-06-25 02:38 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2011-10-09 06:09 . 2011-06-14 08:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 12:06 . 2011-03-30 00:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-07 03:40 . 2011-09-07 03:40 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-25 02:31 . 2011-06-25 02:37 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-03-30 01:04 . 2011-03-30 01:05 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-22 23:53 787744 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-13 1242448]
"Facebook Update"="c:\users\sean\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-31 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"CSRSkype"="c:\program files\CSR\Bluetooth Feature Pack 5.0\CSRSkype.exe" [2009-08-20 346464]
"ConMgr"="c:\program files\CSR\Bluetooth Feature Pack 5.0\ConMgr.exe" [2009-08-20 504160]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-11 1045800]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2008-04-09 20480]
"331BigDog"="c:\windows\VM331_STI.EXE" [2008-05-06 290816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-7-7 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-14 2979144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [x]
R0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GPU-Z;GPU-Z; [x]
R3 HPMo4DE3;Mouse Suite Driver_4DE3 (WDF Version);c:\windows\system32\DRIVERS\HPMo4DE3.sys [2011-03-09 20992]
R3 HPub4DE3;USB Mouse Low Filter Driver_4DE3 (WDF Version);c:\windows\system32\Drivers\HPub4DE3.sys [2011-04-12 13824]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-06-06 4005936]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-02 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-11-01 64952]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2011-11-01 1172728]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2011-11-06 94880]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2011-04-15 65536]
S2 VFPRadioSupportService;Bluetooth Feature Support;c:\program files\CSR\Bluetooth Feature Pack 5.0\VFPRadioSupportService.exe [2009-08-20 111488]
S3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\DRIVERS\Fjbtndrv.sys [2003-06-20 11392]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2006-11-02 5632]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-05 47448]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-03-12 41560]
S3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\Drivers\vm331avs.sys [2008-05-06 972032]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3538159819-4068702530-2812095634-1000Core.job
- c:\users\sean\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-31 20:53]
.
2011-11-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3538159819-4068702530-2812095634-1000UA.job
- c:\users\sean\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-31 20:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\sean\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\sean\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\sean\AppData\Roaming\Mozilla\Firefox\Profiles\sbnlq9v5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.src=ym&.intl=us
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(extentions.y2layers.installId, 373e7582-7809-4941-8ac3-7d8d83ddc675
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-PMCallCenter - c:\program files\PrettyMay Call Center for Skype\PMCallCenter.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe
HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
HKLM-Run-Persistence - c:\windows\system32\igfxpers.exe
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-18727356.sys
SafeBoot-69845136.sys
AddRemove-Need for Speed Most Wanted_is1 - c:\need for speed most wanted\unins000.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\rundll32.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\taskhost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-11-06 15:17:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-06 23:17
.
Pre-Run: 5,032,751,104 bytes free
Post-Run: 9,196,503,040 bytes free
.
- - End Of File - - EB302D33BCCD1369A786D1F5AC6D9037

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 07 November 2011 - 08:10 AM

Other than these messages that you should look after your log is clean.

c:\windows\system32\drivers\tosrfcom.sys . . . is infected!!
Related to Bluetooth RFCOMM driver from TOSHIBA.

c:\windows\system32\o2flash.exe . . . is infected!!
c:\windows\system32\o2flash.exe . . . was deleted!! You should re-install the program it pertains to

Related to O2Micro Flash Memory Card.

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe . . . is infected!!
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe . . . was deleted!! You should re-install the program it pertains to

Self explanatory.

c:\program files\Common Files\Steam\SteamService.exe . . . is infected!!
c:\program files\Common Files\Steam\SteamService.exe . . . was deleted!! You should re-install the program it pertains to

Self explanatory.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the log and let me know what issues persists.

#8 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 November 2011 - 11:15 PM

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

McAfee SiteAdvisor
Java™ 6 Update 29
Adobe Flash Player 11.0.1.152
Adobe Reader X (10.1.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#9 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 08 November 2011 - 02:12 AM

This is all incredibly helpful!


Did anything happen here:

"c:\windows\system32\drivers\tosrfcom.sys . . . is infected!!
Related to Bluetooth RFCOMM driver from TOSHIBA."

And what do I do?

Thanks.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 08 November 2011 - 09:04 AM

Your security scan is good.

"c:\windows\system32\drivers\tosrfcom.sys . . . is infected!!
Related to Bluetooth RFCOMM driver from TOSHIBA."

And what do I do?


Go to the Computer manufacturer's site and you will possibly be able to download a good copy for your version of the Bluetooth.
===

Lets find out what is wrong with this driver.

>>> Run Jotti's malware scan: Please copy this line (in bold):
c:\windows\system32\drivers\tosrfcom.sys
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

How is the computer performing?

#11 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 10 November 2011 - 11:13 PM

http://virusscan.jotti.org/en/scanresult/98d8cd9332876e3a27a81f1476f96a12eb555221

#12 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 10 November 2011 - 11:36 PM

two things:

1. copy and pasting that yields a popup that says the specified file does not exist. It may have been quarantined because i installed avast, avira, and malwarebytes and scanned with all three but i don't remember that file coming up specifically.

2. I found the file under c -> program files -> toshiba -> drivers -> tosrfcom -> tosrfcom.sys and submitted that. it was clean.



the performance seems fantastic although I recently got a "windows firewall has blocked some features of this program" notice with regards to skype and hit cancel -->> that was part of what the virus had been doing, although it did it nearly every time i opened a program. It looks like there may be an issue with windows firewall.

i haven't looked yet, but before i attempt to reinstall windows firewall: should I? can I? how? and most importantly, is there a better option for a free firewall?

also, i'm very concerned because the first message that the virus showed upon opening the .exe was with regards to making changes to the taskmanager and I don't know what that was, how to figure it out, and what to do to fix it if it's even still a problem. I can't quite remember but I believe the same message came up about windows firewall.

Would you like a copy of the sirefef.b plus sirefef.o virus executable file or do you have one?

thanks for all the great assistance!

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 11 November 2011 - 09:00 AM

Try this free Comodo FireWall.
http://www.comodo.com/home/internet-security/firewall.php

When installed make sure that the Windows Firewall is disable.
You cannot have two Firewalls in real life.
===

For your added security make sure you have the latest version of Skype.
http://developer.skype.com/WindowsSkype

===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#14 guitarsavvy

guitarsavvy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 11 November 2011 - 10:55 AM

Should I delete rkill, tdsskiller, and antizeroaccess as well?

Do you recommend switching to comodo dns and using comodo cloud based behavior analysis or would that infringe upon privacy?

Thanks

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 AM

Posted 11 November 2011 - 11:27 AM

Should I delete rkill, tdsskiller, and antizeroaccess as well?

Yes!

Do you recommend switching to comodo dns and using comodo cloud based behavior analysis or would that infringe upon privacy?

Personally I'm not yet a fervent of the cloud system. I keep my programs updated and like to control what I do.
Your call.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users