Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore Virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 ARMcKay

ARMcKay

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 05 November 2011 - 10:27 AM

I am trying to clean a computer that has been infected by the System Restore Virus. The uninstall guide here [url="http://www.bleepingcomputer.com/virus-removal/remove-system-recovery"]pretty much describes it to a "T" - but I am stuck at the point of being unable to run TDSSKiller - cannot get it to go through renaming the file extension nor by getting to the command prompt. Once infected, all the desktop icons and start menu options are hidden, but I seem to be able to unhide enough to get started by going through the Start Menu properties, then getting to the customize options and selecting "show hidden files" - this lets me get at RKill and Unhide and Malwarebytes. I can then run those programs and get rid of the System Restore symptoms - but after reboot I get some suspicious iexplore.exe activity, either through the command window popping up or "failed installation" pop-up windows.

The infection deleted the normal users in the Windows XP installation and replaced them with a generic "User" that at least does appear to have admin rights.

I have tried downloading and running the fixTDSS.exe program, but that too fails and I also am unable to shut off Windows System Restore through the checkbox on My Computer/Properties/System Restore Tab.

I've seen some comments about removing the drive and slaving it to another system, but I am not sure I will be able to pull that alternative off.
I also hope to avoid the nuclear option of reformat and re-install. I am posting from home, rather than where the sick computer is and I do not have the logs to attach as per the prep guide instructions, but I will obtain them while I wait my turn and follow with an additional post.

Thank you.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:56 AM

Posted 05 November 2011 - 11:15 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 06 November 2011 - 06:37 PM

OK...
Step 6 - ran Defogger and it seemed to run normally. It did not indicate any CD Emulation Drivers stopped nor did it ask for a restart upon completion. The log was pretty simple.

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:24 on 06/11/2011 (User)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-


Step 7 - Ran DDS and it took about six minutes to finish but then everything is running slow on this sick computer. Logs attached to this reply.

Step 8 - Tried to run GMER, first using an older version I had on hand. That failed to run so I downloaded the latest and greatest and that also failed to run - the exception message I got was:

LoadDriver ("C:\DOCUME~1\USER\LOCALS~1\Temp\uxldapob.sys") error 0xC000010E"" Cannot create a stable subkey under a volatile parent key

I clicked OK and it looked like it still started to scan for a few seconds then stopped. I closed it normally. No logs produced.

I will leave it alone for now and await your guidance.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 09 November 2011 - 12:32 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 09 November 2011 - 10:02 PM

Hi Gringo -
Thanks for coming to my aid.
Unfortunately, things did not progress well with ComboFix.
I first started ComboFix and got it going, it seemed like it was doing its thing and figuring it might take awhile I walked away from it.
I came back to the dialog box asking to install the XP Recovery Console - I tried to click it but the system had hung by then. Actually, this is the short story ending to all four times I ran ComboFix - it always ended with the system locked up. Even the clock down by the tray icons would stop.
The second attempt was the most fruitful. I was able to successfully get the recovery console installed and also start ComboFix again. It updated itself and then began scanning. A window popped up entitled "Message from Webpage" and instructed me to "Enter System Name in the Box" but there was only an "OK" button to click. I clicked it and the window disappeared. Just a minute or two later I got another window - this time stating:

You are infected with rootkit.ZeroAccess! It has inserted itself into the TCP/IP stack. This is a particularly difficult infection. If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it is not fixed, run ComboFix one more time. I clicked OK on that too. That was followed by another window: Rootkit is detected. Be patient, this may take some moments. I again clicked OK and was patient - but eventually the computer stopped responding. In this and in all cases, I was unable to do anything other than hold the power button to shut down the unit. Everything else was unresponsive.

Small confession here: I may have clicked on the ComboFix window on my second attempt after clicking OK. I did not follow the instructions not to do that. I see that can cause it to stall and did not do that on attempts # 3 & 4 to run ComboFix - but those attempts only got me to where ComboFix would begin scanning and then each time, after about 10 to 20 minutes the system would hang. On attempt # 3 I left it run for over two hours and only know it hung much earlier than that because again the clock stopped about 15 minutes after I started the scans.

No completions of running ComboFix to offer you any logs. Is there a plan B we can follow from here?

Thanks

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 09 November 2011 - 11:39 PM

Hello

There is a plan b,c,d and e if needed and if that does not work have a stick of TNT

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 10 November 2011 - 09:33 AM

I was able to get into safe mode no problem.
I let ComboFix run for about 45 minutes this morning - still no logs.
It created a System Restore point (9 files backed up in Safe Mode versus 11 files in regular start up) and then gets to "Attempting to scan files - this normally takes no longer than ten minutes but can easily double on badly infected machines." message. The clock kept moving in safe mode - but no results.
I think we go to plan C?
I reserve the dynamite for the posterior orifices of those who write the viruses.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 10 November 2011 - 03:02 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 10 November 2011 - 06:36 PM

Still no joy here - tried running it and got nowhere. I tried renaming it - after discovering the PS/2 keyboard stopped working and I happened to have an alternate USB nearby. Still nothing. Tried it in Safe Mode too, and that didn't work either.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 10 November 2011 - 08:25 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 10 November 2011 - 09:19 PM

Pleased to report some progress -
FixTDSS did run and reported an infected MBR. I chose repair and it worked.
I let the system reboot and then TDSSKiller also ran successfully. Paste of the log as follows:

20:10:40.0031 3996 TDSS rootkit removing tool 2.6.17.0 Nov 9 2011 16:48:26
20:10:41.0375 3996 ============================================================
20:10:41.0375 3996 Current date / time: 2011/11/10 20:10:41.0375
20:10:41.0375 3996 SystemInfo:
20:10:41.0375 3996
20:10:41.0375 3996 OS Version: 5.1.2600 ServicePack: 3.0
20:10:41.0375 3996 Product type: Workstation
20:10:41.0375 3996 ComputerName: DIM4700
20:10:41.0375 3996 UserName: User
20:10:41.0375 3996 Windows directory: C:\WINDOWS
20:10:41.0375 3996 System windows directory: C:\WINDOWS
20:10:41.0375 3996 Processor architecture: Intel x86
20:10:41.0375 3996 Number of processors: 2
20:10:41.0375 3996 Page size: 0x1000
20:10:41.0375 3996 Boot type: Normal boot
20:10:41.0375 3996 ============================================================
20:10:42.0484 3996 Initialize success
20:10:55.0046 2200 ============================================================
20:10:55.0046 2200 Scan started
20:10:55.0046 2200 Mode: Manual;
20:10:55.0046 2200 ============================================================
20:10:55.0375 2200 Abiosdsk - ok
20:10:55.0437 2200 abp480n5 - ok
20:10:55.0531 2200 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:10:55.0531 2200 ACPI - ok
20:10:55.0609 2200 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:10:55.0625 2200 ACPIEC - ok
20:10:55.0812 2200 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
20:10:55.0812 2200 ADM8511 - ok
20:10:55.0984 2200 adpu160m - ok
20:10:56.0171 2200 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:10:56.0171 2200 aec - ok
20:10:56.0390 2200 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:10:56.0406 2200 AFD - ok
20:10:56.0640 2200 Aha154x - ok
20:10:56.0984 2200 aic78u2 - ok
20:10:57.0125 2200 aic78xx - ok
20:10:57.0296 2200 AliIde - ok
20:10:57.0468 2200 amsint - ok
20:10:57.0578 2200 asc - ok
20:10:57.0781 2200 asc3350p - ok
20:10:57.0953 2200 asc3550 - ok
20:10:58.0078 2200 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:10:58.0078 2200 AsyncMac - ok
20:10:58.0312 2200 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:10:58.0328 2200 atapi - ok
20:10:58.0500 2200 Atdisk - ok
20:10:58.0656 2200 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:10:58.0656 2200 Atmarpc - ok
20:10:58.0781 2200 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:10:58.0781 2200 audstub - ok
20:10:58.0937 2200 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:10:58.0953 2200 Beep - ok
20:10:59.0031 2200 catchme - ok
20:10:59.0187 2200 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:10:59.0203 2200 cbidf2k - ok
20:10:59.0359 2200 cd20xrnt - ok
20:10:59.0500 2200 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:10:59.0500 2200 Cdaudio - ok
20:10:59.0671 2200 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:10:59.0687 2200 Cdfs - ok
20:10:59.0828 2200 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:10:59.0843 2200 Cdrom - ok
20:11:00.0015 2200 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
20:11:00.0031 2200 cercsr6 - ok
20:11:00.0281 2200 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
20:11:00.0281 2200 cfwids - ok
20:11:00.0515 2200 Changer - ok
20:11:00.0781 2200 CmdIde - ok
20:11:00.0906 2200 Cpqarray - ok
20:11:00.0968 2200 dac2w2k - ok
20:11:00.0984 2200 dac960nt - ok
20:11:01.0078 2200 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:11:01.0078 2200 Disk - ok
20:11:01.0218 2200 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:11:01.0234 2200 dmboot - ok
20:11:01.0343 2200 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:11:01.0343 2200 dmio - ok
20:11:01.0453 2200 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:11:01.0453 2200 dmload - ok
20:11:01.0562 2200 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:11:01.0562 2200 DMusic - ok
20:11:01.0609 2200 dpti2o - ok
20:11:01.0687 2200 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:11:01.0687 2200 drmkaud - ok
20:11:01.0796 2200 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:11:01.0796 2200 E100B - ok
20:11:02.0093 2200 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:11:02.0125 2200 Fastfat - ok
20:11:02.0218 2200 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:11:02.0234 2200 Fdc - ok
20:11:02.0296 2200 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:11:02.0296 2200 Fips - ok
20:11:02.0375 2200 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:11:02.0375 2200 Flpydisk - ok
20:11:02.0468 2200 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:11:02.0468 2200 FltMgr - ok
20:11:02.0578 2200 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:11:02.0578 2200 Fs_Rec - ok
20:11:02.0687 2200 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:11:02.0687 2200 Ftdisk - ok
20:11:02.0796 2200 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:11:02.0796 2200 Gpc - ok
20:11:02.0906 2200 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:11:02.0906 2200 HidUsb - ok
20:11:02.0984 2200 hpn - ok
20:11:03.0046 2200 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:11:03.0062 2200 HPZid412 - ok
20:11:03.0140 2200 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:11:03.0140 2200 HPZipr12 - ok
20:11:03.0234 2200 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:11:03.0234 2200 HPZius12 - ok
20:11:03.0343 2200 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:11:03.0343 2200 HTTP - ok
20:11:03.0421 2200 i2omgmt - ok
20:11:03.0484 2200 i2omp - ok
20:11:03.0562 2200 i8042prt (0f86f3a4a5c9c4cd9232b47eeb3bb6f0) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:11:03.0562 2200 i8042prt ( Rootkit.Win32.ZAccess.j ) - infected
20:11:03.0562 2200 i8042prt - detected Rootkit.Win32.ZAccess.j (0)
20:11:03.0687 2200 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
20:11:03.0718 2200 ialm - ok
20:11:03.0796 2200 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:11:03.0796 2200 Imapi - ok
20:11:03.0875 2200 ini910u - ok
20:11:03.0953 2200 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:11:03.0953 2200 IntelIde - ok
20:11:04.0031 2200 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:11:04.0031 2200 intelppm - ok
20:11:04.0109 2200 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:11:04.0109 2200 Ip6Fw - ok
20:11:04.0203 2200 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:11:04.0203 2200 IpFilterDriver - ok
20:11:04.0281 2200 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:11:04.0281 2200 IpInIp - ok
20:11:04.0375 2200 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:11:04.0375 2200 IpNat - ok
20:11:04.0468 2200 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:11:04.0468 2200 IPSec - ok
20:11:04.0546 2200 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:11:04.0546 2200 IRENUM - ok
20:11:04.0625 2200 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:11:04.0625 2200 isapnp - ok
20:11:04.0703 2200 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:11:04.0718 2200 Kbdclass - ok
20:11:04.0796 2200 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:11:04.0796 2200 kbdhid - ok
20:11:04.0890 2200 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:11:04.0890 2200 kmixer - ok
20:11:04.0968 2200 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:11:04.0984 2200 KSecDD - ok
20:11:05.0046 2200 lbrtfdc - ok
20:11:05.0125 2200 MBAMSwissArmy - ok
20:11:05.0218 2200 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
20:11:05.0218 2200 mfeapfk - ok
20:11:05.0296 2200 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
20:11:05.0312 2200 mfeavfk - ok
20:11:05.0390 2200 mfeavfk01 - ok
20:11:05.0437 2200 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
20:11:05.0437 2200 mfebopk - ok
20:11:05.0546 2200 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
20:11:05.0546 2200 mfefirek - ok
20:11:05.0640 2200 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
20:11:05.0671 2200 mfehidk - ok
20:11:05.0750 2200 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:11:05.0765 2200 mfendisk - ok
20:11:05.0765 2200 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
20:11:05.0765 2200 mfendiskmp - ok
20:11:05.0843 2200 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
20:11:05.0843 2200 mferkdet - ok
20:11:05.0937 2200 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
20:11:05.0937 2200 mfetdi2k - ok
20:11:06.0015 2200 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:11:06.0015 2200 mnmdd - ok
20:11:06.0109 2200 MOBKFilter (e896775837a8bce436348df460522394) C:\WINDOWS\system32\DRIVERS\MOBK.sys
20:11:06.0109 2200 MOBKFilter - ok
20:11:06.0187 2200 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:11:06.0187 2200 Modem - ok
20:11:06.0281 2200 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:11:06.0281 2200 Mouclass - ok
20:11:06.0359 2200 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:11:06.0359 2200 mouhid - ok
20:11:06.0437 2200 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:11:06.0437 2200 MountMgr - ok
20:11:06.0515 2200 mraid35x - ok
20:11:06.0578 2200 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:11:06.0578 2200 MRxDAV - ok
20:11:06.0656 2200 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:11:06.0687 2200 MRxSmb - ok
20:11:06.0781 2200 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:11:06.0781 2200 Msfs - ok
20:11:06.0875 2200 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:11:06.0875 2200 MSKSSRV - ok
20:11:06.0968 2200 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:11:06.0968 2200 MSPCLOCK - ok
20:11:07.0046 2200 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:11:07.0046 2200 MSPQM - ok
20:11:07.0125 2200 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:11:07.0125 2200 mssmbios - ok
20:11:07.0203 2200 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:11:07.0203 2200 Mup - ok
20:11:07.0296 2200 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:11:07.0312 2200 NDIS - ok
20:11:07.0390 2200 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:11:07.0390 2200 NdisTapi - ok
20:11:07.0468 2200 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:11:07.0468 2200 Ndisuio - ok
20:11:07.0562 2200 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:11:07.0562 2200 NdisWan - ok
20:11:07.0640 2200 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:11:07.0640 2200 NDProxy - ok
20:11:07.0718 2200 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:11:07.0718 2200 NetBIOS - ok
20:11:07.0812 2200 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:11:07.0812 2200 NetBT - ok
20:11:07.0984 2200 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:11:07.0984 2200 Npfs - ok
20:11:08.0218 2200 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:11:08.0250 2200 Ntfs - ok
20:11:08.0343 2200 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:11:08.0343 2200 Null - ok
20:11:08.0437 2200 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:11:08.0437 2200 NwlnkFlt - ok
20:11:08.0515 2200 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:11:08.0531 2200 NwlnkFwd - ok
20:11:08.0609 2200 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:11:08.0609 2200 Parport - ok
20:11:08.0687 2200 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:11:08.0687 2200 PartMgr - ok
20:11:08.0765 2200 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:11:08.0781 2200 ParVdm - ok
20:11:08.0859 2200 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:11:08.0859 2200 PCI - ok
20:11:08.0921 2200 PCIDump - ok
20:11:08.0984 2200 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:11:08.0984 2200 PCIIde - ok
20:11:09.0078 2200 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:11:09.0078 2200 Pcmcia - ok
20:11:09.0156 2200 PDCOMP - ok
20:11:09.0203 2200 PDFRAME - ok
20:11:09.0265 2200 PDRELI - ok
20:11:09.0359 2200 PDRFRAME - ok
20:11:09.0390 2200 perc2 - ok
20:11:09.0468 2200 perc2hib - ok
20:11:09.0593 2200 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:11:09.0593 2200 PptpMiniport - ok
20:11:09.0703 2200 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:11:09.0703 2200 PSched - ok
20:11:09.0812 2200 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
20:11:09.0812 2200 PSI - ok
20:11:09.0921 2200 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:11:09.0921 2200 Ptilink - ok
20:11:10.0000 2200 ql1080 - ok
20:11:10.0093 2200 Ql10wnt - ok
20:11:10.0125 2200 ql12160 - ok
20:11:10.0187 2200 ql1240 - ok
20:11:10.0281 2200 ql1280 - ok
20:11:10.0343 2200 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:11:10.0343 2200 RasAcd - ok
20:11:10.0421 2200 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:11:10.0421 2200 Rasl2tp - ok
20:11:10.0500 2200 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:11:10.0515 2200 RasPppoe - ok
20:11:10.0593 2200 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:11:10.0593 2200 Raspti - ok
20:11:10.0671 2200 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:11:10.0671 2200 Rdbss - ok
20:11:10.0796 2200 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:11:10.0796 2200 RDPCDD - ok
20:11:11.0093 2200 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:11:11.0109 2200 rdpdr - ok
20:11:11.0390 2200 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:11:11.0421 2200 RDPWD - ok
20:11:11.0578 2200 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:11:11.0578 2200 redbook - ok
20:11:11.0703 2200 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:11:11.0703 2200 Secdrv - ok
20:11:11.0828 2200 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
20:11:11.0859 2200 senfilt - ok
20:11:11.0953 2200 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:11:11.0968 2200 serenum - ok
20:11:12.0046 2200 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:11:12.0062 2200 Serial - ok
20:11:12.0156 2200 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:11:12.0156 2200 Sfloppy - ok
20:11:12.0250 2200 Simbad - ok
20:11:12.0328 2200 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
20:11:12.0328 2200 smwdm - ok
20:11:12.0390 2200 Sparrow - ok
20:11:12.0468 2200 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:11:12.0468 2200 splitter - ok
20:11:12.0562 2200 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:11:12.0562 2200 sr - ok
20:11:12.0640 2200 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:11:12.0656 2200 Srv - ok
20:11:12.0750 2200 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:11:12.0750 2200 swenum - ok
20:11:12.0828 2200 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:11:12.0828 2200 swmidi - ok
20:11:12.0906 2200 symc810 - ok
20:11:12.0953 2200 symc8xx - ok
20:11:13.0031 2200 sym_hi - ok
20:11:13.0125 2200 sym_u3 - ok
20:11:13.0187 2200 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:11:13.0187 2200 sysaudio - ok
20:11:13.0296 2200 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:11:13.0312 2200 Tcpip - ok
20:11:13.0406 2200 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:11:13.0406 2200 TDPIPE - ok
20:11:13.0484 2200 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:11:13.0484 2200 TDTCP - ok
20:11:13.0578 2200 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:11:13.0593 2200 TermDD - ok
20:11:13.0812 2200 TosIde - ok
20:11:14.0078 2200 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:11:14.0093 2200 Udfs - ok
20:11:14.0218 2200 ultra - ok
20:11:14.0406 2200 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:11:14.0421 2200 Update - ok
20:11:14.0593 2200 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:11:14.0593 2200 usbccgp - ok
20:11:14.0812 2200 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:11:14.0812 2200 usbehci - ok
20:11:14.0906 2200 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:11:14.0906 2200 usbhub - ok
20:11:14.0968 2200 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:11:14.0968 2200 usbprint - ok
20:11:15.0046 2200 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:11:15.0046 2200 usbscan - ok
20:11:15.0140 2200 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:11:15.0140 2200 USBSTOR - ok
20:11:15.0218 2200 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:11:15.0234 2200 usbuhci - ok
20:11:15.0312 2200 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:11:15.0312 2200 VgaSave - ok
20:11:15.0375 2200 ViaIde - ok
20:11:15.0468 2200 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:11:15.0468 2200 VolSnap - ok
20:11:15.0515 2200 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:11:15.0531 2200 Wanarp - ok
20:11:15.0593 2200 WDICA - ok
20:11:15.0671 2200 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:11:15.0671 2200 wdmaud - ok
20:11:15.0843 2200 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:11:15.0843 2200 WudfPf - ok
20:11:15.0937 2200 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:11:15.0937 2200 WudfRd - ok
20:11:15.0968 2200 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:11:16.0078 2200 \Device\Harddisk0\DR0 - ok
20:11:16.0078 2200 Boot (0x1200) (7af52511f66360577eaf1c4072186777) \Device\Harddisk0\DR0\Partition0
20:11:16.0078 2200 \Device\Harddisk0\DR0\Partition0 - ok
20:11:16.0078 2200 ============================================================
20:11:16.0093 2200 Scan finished
20:11:16.0093 2200 ============================================================
20:11:16.0093 4092 Detected object count: 1
20:11:16.0093 4092 Actual detected object count: 1
20:12:00.0406 4092 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\i8042prt.sys) error 1813
20:12:07.0562 4092 Backup copy found, using it..
20:12:07.0593 4092 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured on reboot
20:12:07.0593 4092 i8042prt ( Rootkit.Win32.ZAccess.j ) - User select action: Cure
20:12:14.0562 2668 Deinitialize success

That brought the keyboard back as well - I noticed that the driver zapped by TDSSKiller was also the active driver for the keyboard while I was poking around in the Control Panel. Cool - now we're getting somewhere!

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 10 November 2011 - 09:29 PM

Hello


Now lets see if we can get combofix to run now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 11 November 2011 - 12:18 AM

Getting better and better - ComboFix ran - did take a while, but here is the log:

ComboFix 11-11-11.01 - User 11/10/2011 22:46:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.598 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\extensions\{bcce059d-1027-48e1-97e7-733ce6d610f9}
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\extensions\{bcce059d-1027-48e1-97e7-733ce6d610f9}\chrome.manifest
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\extensions\{bcce059d-1027-48e1-97e7-733ce6d610f9}\chrome\xulcache.jar
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\extensions\{bcce059d-1027-48e1-97e7-733ce6d610f9}\defaults\preferences\xulcache.js
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\extensions\{bcce059d-1027-48e1-97e7-733ce6d610f9}\install.rdf
c:\documents and settings\User\rzfptrlgew.tmp
c:\documents and settings\User\Start Menu\Programs\System Restore
c:\documents and settings\User\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\User\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
C:\drvrtmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-10 23:31 . 2008-04-14 06:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-11-10 23:31 . 2008-04-14 06:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-11-05 04:29 . 2011-11-05 04:48 -------- d-----w- c:\documents and settings\Anthony
2011-11-05 00:59 . 2011-11-05 00:59 -------- d-----w- c:\documents and settings\Administrator
2011-11-04 00:53 . 2008-10-29 18:57 974848 ----a-r- c:\windows\system32\hpost_p02b.dll
2011-11-04 00:53 . 2008-10-29 18:57 737280 ----a-r- c:\windows\system32\hposwia_p02b.dll
2011-11-04 00:53 . 2008-10-29 18:57 307200 ----a-r- c:\windows\system32\hposc_p02a.dll
2011-11-04 00:53 . 2008-10-28 10:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-11-04 00:53 . 2008-10-28 10:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-11-04 00:50 . 2011-11-04 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-11-04 00:18 . 2011-11-11 02:06 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2011-11-03 19:22 . 2011-11-04 00:37 -------- d-----w- c:\windows\SxsCaPendDel
2011-11-03 01:49 . 2011-11-03 01:49 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Secunia PSI
2011-11-03 01:49 . 2011-11-03 01:49 -------- d-----w- c:\program files\Secunia
2011-11-02 23:45 . 2011-11-02 23:45 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Trolltech
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 02:12 . 2004-08-04 10:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-15 19:16 . 2010-08-19 02:58 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-08-19 02:57 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16 . 2010-08-19 02:57 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16 . 2010-08-19 02:57 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 19:16 . 2010-08-19 02:57 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-08-19 02:57 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2010-08-19 02:57 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-08-19 02:57 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-06-01 01:32 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-06-01 01:32 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2010-08-14 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-08-19 00:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-30 14:58 . 2011-04-02 18:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-08-19 02:58 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/18/2010 8:57 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [8/18/2010 8:59 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [8/18/2010 8:58 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [8/18/2010 8:58 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 7:11 PM 229688]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 12:01 AM 994360]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/18/2010 8:57 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/18/2010 8:57 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/18/2010 8:57 PM 83856]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 2:30 AM 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 NetworkLog;NetworkLog;c:\windows\svcs.exe --> c:\windows\svcs.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [8/14/2010 4:34 PM 20160]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/18/2010 8:57 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/18/2010 8:57 PM 87656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-10 c:\windows\Tasks\User_Feed_Synchronization-{B1FCC51D-9EAA-4251-BF34-52DD227976DA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.home.comcast.net/~epafriendly
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-91084936.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\rundll32.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-11-10 23:15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 05:15
.
Pre-Run: 23,370,084,352 bytes free
Post-Run: 24,458,117,120 bytes free
.
- - End Of File - - 18FEC8B2D1A17D5E63295733132B1AE7

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:56 AM

Posted 11 November 2011 - 12:25 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\documents and settings\User\Local Settings\Application Data\Trolltech


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ARMcKay

ARMcKay
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 11 November 2011 - 08:40 AM

Your instructions worked fine. ComboFix asked to update itself again and I chose "yes", but it ran smoothly and completed in about 10 minutes. No problems along the way. The computer seems to be running OK. The only wonky thing I noticed is that registered user software is no longer registered to the name of the machine's owner but just the generic "User". Log from ComboFix:

ComboFix 11-11-11.02 - User 11/11/2011 7:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.455 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Application Data\Trolltech
c:\documents and settings\User\Local Settings\Application Data\Trolltech\{83DBCD83-EFEF-C89A-2298-7FB448AF4721}\WinZdda.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-10 23:31 . 2008-04-14 06:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-11-10 23:31 . 2008-04-14 06:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-11-05 04:29 . 2011-11-05 04:48 -------- d-----w- c:\documents and settings\Anthony
2011-11-05 00:59 . 2011-11-05 00:59 -------- d-----w- c:\documents and settings\Administrator
2011-11-04 00:53 . 2008-10-29 18:57 974848 ----a-r- c:\windows\system32\hpost_p02b.dll
2011-11-04 00:53 . 2008-10-29 18:57 737280 ----a-r- c:\windows\system32\hposwia_p02b.dll
2011-11-04 00:53 . 2008-10-29 18:57 307200 ----a-r- c:\windows\system32\hposc_p02a.dll
2011-11-04 00:53 . 2008-10-28 10:31 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-11-04 00:53 . 2008-10-28 10:31 309760 ----a-r- c:\windows\system32\difxapi.dll
2011-11-04 00:50 . 2011-11-04 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-11-04 00:18 . 2011-11-11 02:06 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2011-11-03 19:22 . 2011-11-04 00:37 -------- d-----w- c:\windows\SxsCaPendDel
2011-11-03 01:49 . 2011-11-03 01:49 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Secunia PSI
2011-11-03 01:49 . 2011-11-03 01:49 -------- d-----w- c:\program files\Secunia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 02:12 . 2004-08-04 10:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-10-15 19:16 . 2010-08-19 02:58 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-08-19 02:57 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 19:16 . 2010-08-19 02:57 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 19:16 . 2010-08-19 02:57 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 19:16 . 2010-08-19 02:57 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-08-19 02:57 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2010-08-19 02:57 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-08-19 02:57 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-06-01 01:32 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-06-01 01:32 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2010-08-14 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2009-10-08 19:57 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-08-19 00:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-30 14:58 . 2011-04-02 18:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-08-19 02:58 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-11_05.08.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-11 13:06 . 2011-11-11 13:06 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
+ 2011-11-11 13:06 . 2011-11-11 13:06 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/18/2010 8:57 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [8/18/2010 8:59 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/18/2010 8:57 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [8/18/2010 8:58 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [8/18/2010 8:58 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 7:11 PM 229688]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/14/2011 12:01 AM 994360]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/18/2010 8:57 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/18/2010 8:57 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/18/2010 8:57 PM 83856]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 2:30 AM 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 NetworkLog;NetworkLog;c:\windows\svcs.exe --> c:\windows\svcs.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [8/14/2010 4:34 PM 20160]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/18/2010 8:57 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/18/2010 8:57 PM 87656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\User_Feed_Synchronization-{B1FCC51D-9EAA-4251-BF34-52DD227976DA}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.home.comcast.net/~epafriendly
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\py7pjvsy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 07:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-11 07:26:34
ComboFix-quarantined-files.txt 2011-11-11 13:26
ComboFix2.txt 2011-11-11 05:15
.
Pre-Run: 24,473,792,512 bytes free
Post-Run: 24,452,132,864 bytes free
.
- - End Of File - - 3235055F535715EED910AA2EE5AAF431




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users