Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, infected with malware


  • This topic is locked This topic is locked
22 replies to this topic

#1 black&gold

black&gold

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 November 2011 - 05:36 PM

Hi, I'm having a problem with browser redirects and I noticed that ping.exe is unusually appearing in my task manager at boot up. Also one of the svchost (a system user) is maxing out at like 99% CPU usage, until I stop the ping.exe process.

I began a thread in the "Am I infected" section and TheShooter93 has been assisting me so far and has requested that I make a thread here for the removal team. Original thread

I've ran MWB, SAS, Rootkit Buster, Spybot, and now GMER. I still need to run DDS. Attached are the SAS and gmer logs

Thank you in advance for your help.

*note* I think I forgot to uncheck the IAT/EAT in the gmer. That scan takes a long time, so if it's imperative that I run it again I can, but if it's not a big deal that would be cool, let me know.

Okay here are the DDS logs.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 18 November 2011 - 03:09 AM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 20 November 2011 - 12:06 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 November 2011 - 03:14 PM

Hey McMurphy, big thanks in advance for your help! I've been through a process once before here and I know this stuff can get long and tedious but as long as everything works out, that's what's important.

I don't think I mentioned this before, but this malware also added that AV Security 12 garbage and even had the audacity to put a link in my Start button. That seems to be common with other users here experiencing similar overall problems. Anyway, I haven't tried to remove or tamper with that AV program on my own.

So just checking in now.
Going to run the tdssk and combo programs, probably in a diagnostic mode as it seems to work better.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 20 November 2011 - 03:59 PM

Hi,

Don't use the safe (diagnostic) mode unless the tools won't run in the normal mode, particularly TDSSKiller.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 November 2011 - 05:04 PM

Aww, too late man. I already ran both scans in diagnostic. Combofix seemed to run perfectly and produced a log. I already had the Windows recovery console though. TDSSK however didn't produce a log for me. It found some Win32 thing though and I had Cure selected as was detailed in the instructions. I wish I had a log for you. Should I try running it again now?

ComboFix did give me a warning that I'm infected with a rootkit called Zeroaccess which sounds pretty nasty and it mentioned I might have issues with connectivity, but so far so good as far as getting online goes. Also combo already got rid of av2012 on it's own. I didn't do anything with combo besides run the scan though.

I think the scans would work correctly in normal mode. The reason I had opted for diag mode was because the problematic ping process never comes up in diag mode. While using normal, whenever that ping process jumps up to high mem usage it tends to slow stuff down. I haven't had problems with any scans finishing yet, but it seemed to noticeably slow down Superantispyware a few days ago. Also usually I can close ping.exe without any problems and it won't pop up again for a bit, but I did that once today (not while I was running anything though) and my pc rebooted on it's own not too long after.

Anyway, thank you for the continued aid.

ComboFix 11-11-20.01 - Kcin 11/20/2011 16:18:27.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1743 [GMT -5:00]
Running from: e:\documents and settings\Kcin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\documents and settings\All Users\Application Data\TEMP
e:\documents and settings\Kcin\Start Menu\Programs\AV Security 2012
e:\documents and settings\Kcin\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk
e:\program files\LP
e:\program files\LP\37A8\1171.tmp
e:\program files\LP\37A8\1172.tmp
e:\windows\$NtUninstallKB33164$
e:\windows\$NtUninstallKB33164$\2797348656\@
e:\windows\$NtUninstallKB33164$\2797348656\bckfg.tmp
e:\windows\$NtUninstallKB33164$\2797348656\cfg.ini
e:\windows\$NtUninstallKB33164$\2797348656\Desktop.ini
e:\windows\$NtUninstallKB33164$\2797348656\keywords
e:\windows\$NtUninstallKB33164$\2797348656\kwrd.dll
e:\windows\$NtUninstallKB33164$\2797348656\L\enmrblie
e:\windows\$NtUninstallKB33164$\2797348656\lsflt7.ver
e:\windows\$NtUninstallKB33164$\2797348656\U\00000001.@
e:\windows\$NtUninstallKB33164$\2797348656\U\00000002.@
e:\windows\$NtUninstallKB33164$\2797348656\U\00000004.@
e:\windows\$NtUninstallKB33164$\2797348656\U\80000000.@
e:\windows\$NtUninstallKB33164$\2797348656\U\80000004.@
e:\windows\$NtUninstallKB33164$\2797348656\U\80000032.@
e:\windows\$NtUninstallKB33164$\740690148
e:\windows\CSC\d6
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_COMSYSAPP
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-16 04:51 . 2011-11-16 04:51 -------- d-sh--w- e:\documents and settings\NetworkService\IETldCache
2011-11-16 04:48 . 2011-11-16 04:48 -------- d-----w- e:\documents and settings\Kcin\Application Data\k0uvvS2bF3m5Q6d
2011-11-16 04:48 . 2011-11-16 04:48 -------- d-----w- e:\documents and settings\Kcin\Application Data\BwkIVrzONt
2011-11-16 04:48 . 2011-11-16 09:20 -------- d-----w- e:\program files\58981
2011-11-16 04:47 . 2011-11-16 04:47 -------- d-----w- e:\documents and settings\Kcin\Application Data\8C558
2011-11-16 04:47 . 2011-11-16 04:47 -------- d-----w- e:\documents and settings\Kcin\Application Data\wvD3nG4sK7
2011-11-16 04:47 . 2011-11-16 04:47 -------- d-----w- e:\documents and settings\Kcin\Application Data\h6KfLL9gT
2011-11-05 04:32 . 2009-11-19 06:33 79256 ----a-w- e:\windows\system32\npOGPPlugin.dll
2011-11-05 04:32 . 2009-11-19 06:33 271768 ----a-w- e:\windows\system32\OGPIEPlugin.ocx
2011-11-05 04:32 . 2011-11-05 04:44 -------- d-----w- e:\program files\OGPlanet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-20 20:31 . 2004-08-03 22:14 74752 ----a-w- e:\windows\system32\drivers\ipsec.sys
2011-08-31 21:00 . 2010-06-19 18:44 22216 ----a-w- e:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\E:^Documents and Settings^Kcin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=e:\documents and settings\Kcin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=e:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- e:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 19:21 94208 ----a-w- e:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- e:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-04-01 05:31 126976 ----a-r- e:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-04-01 05:31 155648 ----a-r- e:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-03-11 20:24 86016 ----a-w- e:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-05 02:24 1242448 ----a-w- e:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- e:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"Steam Client Service"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SLService"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"npggsvc"=3 (0x3)
"Nla"=3 (0x3)
"NetSvc"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"GhostStartService"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"!SASCORE"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"e:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"e:\\Program Files\\mektek.net\\MTX\\mtx.exe"=
"e:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"e:\\Documents and Settings\\Kcin\\My Documents\\Mekwar4\\Mechwarrior Mercenaries - Mektek Mekpak\\MW4Mercs.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"e:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"e:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"e:\\Program Files\\Steam\\Steam.exe"=
"e:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"e:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58848:TCP"= 58848:TCP:Pando Media Booster
"58848:UDP"= 58848:UDP:Pando Media Booster
.
R1 GhPciScan;GhostPciScanner;e:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 2:11 PM 5632]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
S3 CFcatchme;CFcatchme;\??\e:\docume~1\Kcin\LOCALS~1\Temp\CFcatchme.sys --> e:\docume~1\Kcin\LOCALS~1\Temp\CFcatchme.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\e:\windows\system32\drivers\mbamswissarmy.sys --> e:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 XDva346;XDva346;\??\e:\windows\system32\XDva346.sys --> e:\windows\system32\XDva346.sys [?]
S4 !SASCORE;SAS Core Service;e:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 12:02 PM 116608]
S4 npggsvc;nProtect GameGuard Service;e:\windows\system32\GameMon.des -service --> e:\windows\system32\GameMon.des -service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - e:\documents and settings\Kcin\Application Data\Mozilla\Firefox\Profiles\s1vv91m2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-36543692.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-20 16:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="e:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1692)
e:\windows\system32\WININET.dll
e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\wpdshserviceobj.dll
e:\windows\system32\portabledevicetypes.dll
e:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-11-20 16:41:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 21:41
ComboFix2.txt 2011-07-31 23:51
.
Pre-Run: 69,786,796,032 bytes free
Post-Run: 69,753,442,304 bytes free
.
- - End Of File - - 2D722DEAC9C2EB29A7FFAA51C99230AF

Attached Files


Edited by RPMcMurphy, 20 November 2011 - 05:22 PM.
added log


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 20 November 2011 - 05:20 PM

Your TDSSKiller log should be a text file in c:\ that looks something like this:

c:\TDSSKiller.2.6.19.0_20.11.2011_17.17.24_log

If you can find it, post it for me.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 November 2011 - 05:42 PM

Cool, found it, thanks.
I'm assuming you want me to post it in long form in the thread.


15:26:18.0937 1596 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
15:26:19.0078 1596 ============================================================
15:26:19.0078 1596 Current date / time: 2011/11/20 15:26:19.0078
15:26:19.0078 1596 SystemInfo:
15:26:19.0078 1596
15:26:19.0078 1596 OS Version: 5.1.2600 ServicePack: 2.0
15:26:19.0078 1596 Product type: Workstation
15:26:19.0078 1596 ComputerName: DESK2-19C19
15:26:19.0078 1596 UserName: Kcin
15:26:19.0078 1596 Windows directory: E:\WINDOWS
15:26:19.0078 1596 System windows directory: E:\WINDOWS
15:26:19.0078 1596 Processor architecture: Intel x86
15:26:19.0078 1596 Number of processors: 1
15:26:19.0078 1596 Page size: 0x1000
15:26:19.0078 1596 Boot type: Normal boot
15:26:19.0078 1596 ============================================================
15:26:20.0656 1596 Initialize success
15:27:10.0515 1616 ============================================================
15:27:10.0515 1616 Scan started
15:27:10.0515 1616 Mode: Manual;
15:27:10.0515 1616 ============================================================
15:27:10.0906 1616 Abiosdsk - ok
15:27:11.0093 1616 abp480n5 - ok
15:27:11.0390 1616 ACPI (a10c7534f7223f4a73a948967d00e69b) E:\WINDOWS\system32\DRIVERS\ACPI.sys
15:27:11.0453 1616 ACPI - ok
15:27:11.0671 1616 ACPIEC (9859c0f6936e723e4892d7141b1327d5) E:\WINDOWS\system32\drivers\ACPIEC.sys
15:27:11.0687 1616 ACPIEC - ok
15:27:11.0859 1616 adpu160m - ok
15:27:12.0156 1616 aec (1ee7b434ba961ef845de136224c30fec) E:\WINDOWS\system32\drivers\aec.sys
15:27:12.0156 1616 aec - ok
15:27:12.0437 1616 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) E:\WINDOWS\System32\drivers\afd.sys
15:27:12.0484 1616 AFD - ok
15:27:12.0671 1616 Aha154x - ok
15:27:12.0843 1616 aic78u2 - ok
15:27:13.0031 1616 aic78xx - ok
15:27:14.0062 1616 ALCXWDM (bea942ff21154fee4f71ddd477621c70) E:\WINDOWS\system32\drivers\ALCXWDM.SYS
15:27:15.0046 1616 ALCXWDM - ok
15:27:15.0234 1616 AliIde - ok
15:27:15.0421 1616 amsint - ok
15:27:15.0609 1616 asc - ok
15:27:15.0796 1616 asc3350p - ok
15:27:15.0984 1616 asc3550 - ok
15:27:16.0234 1616 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) E:\WINDOWS\system32\drivers\Aspi32.sys
15:27:16.0234 1616 Aspi32 - ok
15:27:16.0468 1616 AsyncMac (02000abf34af4c218c35d257024807d6) E:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:27:16.0484 1616 AsyncMac - ok
15:27:16.0734 1616 atapi (cdfe4411a69c224bd1d11b2da92dac51) E:\WINDOWS\system32\DRIVERS\atapi.sys
15:27:16.0734 1616 atapi - ok
15:27:16.0906 1616 Atdisk - ok
15:27:17.0125 1616 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) E:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:27:17.0156 1616 Atmarpc - ok
15:27:17.0359 1616 audstub (d9f724aa26c010a217c97606b160ed68) E:\WINDOWS\system32\DRIVERS\audstub.sys
15:27:17.0359 1616 audstub - ok
15:27:17.0578 1616 Beep (da1f27d85e0d1525f6621372e7b685e9) E:\WINDOWS\system32\drivers\Beep.sys
15:27:17.0593 1616 Beep - ok
15:27:17.0640 1616 catchme - ok
15:27:17.0875 1616 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) E:\WINDOWS\system32\drivers\cbidf2k.sys
15:27:17.0890 1616 cbidf2k - ok
15:27:18.0078 1616 cd20xrnt - ok
15:27:18.0281 1616 Cdaudio (c1b486a7658353d33a10cc15211a873b) E:\WINDOWS\system32\drivers\Cdaudio.sys
15:27:18.0296 1616 Cdaudio - ok
15:27:18.0531 1616 Cdfs (cd7d5152df32b47f4e36f710b35aae02) E:\WINDOWS\system32\drivers\Cdfs.sys
15:27:18.0546 1616 Cdfs - ok
15:27:18.0812 1616 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) E:\WINDOWS\system32\DRIVERS\cdrom.sys
15:27:18.0828 1616 Cdrom - ok
15:27:18.0921 1616 CFcatchme - ok
15:27:19.0109 1616 Changer - ok
15:27:19.0312 1616 CmdIde - ok
15:27:19.0515 1616 Cpqarray - ok
15:27:19.0703 1616 dac2w2k - ok
15:27:19.0890 1616 dac960nt - ok
15:27:20.0156 1616 Disk (00ca44e4534865f8a3b64f7c0984bff0) E:\WINDOWS\system32\DRIVERS\disk.sys
15:27:20.0171 1616 Disk - ok
15:27:20.0671 1616 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) E:\WINDOWS\system32\drivers\dmboot.sys
15:27:20.0937 1616 dmboot - ok
15:27:21.0187 1616 dmio (f5e7b358a732d09f4bcf2824b88b9e28) E:\WINDOWS\system32\drivers\dmio.sys
15:27:21.0250 1616 dmio - ok
15:27:21.0437 1616 dmload (e9317282a63ca4d188c0df5e09c6ac5f) E:\WINDOWS\system32\drivers\dmload.sys
15:27:21.0453 1616 dmload - ok
15:27:21.0671 1616 DMusic (a6f881284ac1150e37d9ae47ff601267) E:\WINDOWS\system32\drivers\DMusic.sys
15:27:21.0671 1616 DMusic - ok
15:27:21.0875 1616 dpti2o - ok
15:27:22.0093 1616 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) E:\WINDOWS\system32\drivers\drmkaud.sys
15:27:22.0109 1616 drmkaud - ok
15:27:22.0375 1616 E100B (6ca101f9aa3d845ba31f6e13c01301a8) E:\WINDOWS\system32\DRIVERS\e100b325.sys
15:27:22.0437 1616 E100B - ok
15:27:22.0718 1616 Fastfat (3117f595e9615e04f05a54fc15a03b20) E:\WINDOWS\system32\drivers\Fastfat.sys
15:27:22.0765 1616 Fastfat - ok
15:27:22.0968 1616 Fdc (ced2e8396a8838e59d8fd529c680e02c) E:\WINDOWS\system32\drivers\Fdc.sys
15:27:22.0984 1616 Fdc - ok
15:27:23.0171 1616 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) E:\WINDOWS\system32\drivers\Fips.sys
15:27:23.0187 1616 Fips - ok
15:27:23.0375 1616 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) E:\WINDOWS\system32\drivers\Flpydisk.sys
15:27:23.0375 1616 Flpydisk - ok
15:27:23.0656 1616 FltMgr (6cc5181f718820861eeadae38f764b75) E:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:27:23.0687 1616 FltMgr - ok
15:27:23.0890 1616 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) E:\WINDOWS\system32\drivers\Fs_Rec.sys
15:27:23.0890 1616 Fs_Rec - ok
15:27:24.0125 1616 Ftdisk (6ac26732762483366c3969c9e4d2259d) E:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:27:24.0171 1616 Ftdisk - ok
15:27:24.0250 1616 GhPciScan (4d0e1ddfc571285a0bbabb0a534f4d3d) E:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
15:27:24.0250 1616 GhPciScan - ok
15:27:24.0453 1616 Gpc (c0f1d4a21de5a415df8170616703debf) E:\WINDOWS\system32\DRIVERS\msgpc.sys
15:27:24.0468 1616 Gpc - ok
15:27:24.0703 1616 hidusb (1de6783b918f540149aa69943bdfeba8) E:\WINDOWS\system32\DRIVERS\hidusb.sys
15:27:24.0718 1616 hidusb - ok
15:27:24.0890 1616 hpn - ok
15:27:25.0171 1616 HTTP (909d110c9634b0f1487eaaea837317d9) E:\WINDOWS\system32\Drivers\HTTP.sys
15:27:25.0187 1616 HTTP - ok
15:27:25.0359 1616 i2omgmt - ok
15:27:25.0546 1616 i2omp - ok
15:27:25.0765 1616 i8042prt (5502b58eef7486ee6f93f3f164dcb808) E:\WINDOWS\system32\drivers\i8042prt.sys
15:27:25.0781 1616 i8042prt - ok
15:27:26.0250 1616 ialm (737da0be27652c4482ac5cde099bfce9) E:\WINDOWS\system32\DRIVERS\ialmnt5.sys
15:27:26.0546 1616 ialm - ok
15:27:26.0781 1616 Imapi (12c59b8929121ace2f55acc86682cf12) E:\WINDOWS\system32\DRIVERS\imapi.sys
15:27:26.0796 1616 Imapi - ok
15:27:26.0984 1616 ini910u - ok
15:27:27.0234 1616 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) E:\WINDOWS\system32\DRIVERS\intelide.sys
15:27:27.0234 1616 IntelIde - ok
15:27:27.0453 1616 intelppm (db8a1859cf9e48914dcc0a7206d87be5) E:\WINDOWS\system32\DRIVERS\intelppm.sys
15:27:27.0468 1616 intelppm - ok
15:27:27.0687 1616 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) E:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:27:27.0687 1616 Ip6Fw - ok
15:27:27.0921 1616 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) E:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:27:27.0937 1616 IpFilterDriver - ok
15:27:28.0140 1616 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) E:\WINDOWS\system32\DRIVERS\ipinip.sys
15:27:28.0140 1616 IpInIp - ok
15:27:28.0421 1616 IpNat (472c75f85e631f8aa87d21c9fee6238d) E:\WINDOWS\system32\DRIVERS\ipnat.sys
15:27:28.0421 1616 IpNat - ok
15:27:28.0671 1616 IPSec (1b60b76a0c1a86c1f19f7f2ef5f373de) E:\WINDOWS\system32\DRIVERS\ipsec.sys
15:27:28.0671 1616 Suspicious file (Forged): E:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 1b60b76a0c1a86c1f19f7f2ef5f373de, Fake md5: 64537aa5c003a6afeee1df819062d0d1
15:27:28.0671 1616 IPSec ( Rootkit.Win32.ZAccess.h ) - infected
15:27:28.0671 1616 IPSec - detected Rootkit.Win32.ZAccess.h (0)
15:27:28.0890 1616 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) E:\WINDOWS\system32\DRIVERS\irenum.sys
15:27:28.0890 1616 IRENUM - ok
15:27:29.0109 1616 isapnp (e504f706ccb699c2596e9a3da1596e87) E:\WINDOWS\system32\DRIVERS\isapnp.sys
15:27:29.0125 1616 isapnp - ok
15:27:29.0359 1616 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) E:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:27:29.0375 1616 Kbdclass - ok
15:27:29.0593 1616 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) E:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:27:29.0593 1616 kbdhid - ok
15:27:29.0875 1616 kmixer (8531438246ce9474e41ee1599904c0c7) E:\WINDOWS\system32\drivers\kmixer.sys
15:27:29.0875 1616 kmixer - ok
15:27:30.0109 1616 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) E:\WINDOWS\system32\drivers\KSecDD.sys
15:27:30.0140 1616 KSecDD - ok
15:27:30.0343 1616 lbrtfdc - ok
15:27:30.0546 1616 MBAMSwissArmy - ok
15:27:30.0750 1616 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) E:\WINDOWS\system32\drivers\mnmdd.sys
15:27:30.0765 1616 mnmdd - ok
15:27:30.0984 1616 Modem (6fc6f9d7acc36dca9b914565a3aeda05) E:\WINDOWS\system32\drivers\Modem.sys
15:27:30.0984 1616 Modem - ok
15:27:31.0203 1616 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) E:\WINDOWS\system32\drivers\MODEMCSA.sys
15:27:31.0203 1616 MODEMCSA - ok
15:27:31.0406 1616 Mouclass (34e1f0031153e491910e12551400192c) E:\WINDOWS\system32\DRIVERS\mouclass.sys
15:27:31.0421 1616 Mouclass - ok
15:27:31.0625 1616 mouhid (b1c303e17fb9d46e87a98e4ba6769685) E:\WINDOWS\system32\DRIVERS\mouhid.sys
15:27:31.0625 1616 mouhid - ok
15:27:31.0828 1616 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) E:\WINDOWS\system32\drivers\MountMgr.sys
15:27:31.0843 1616 MountMgr - ok
15:27:32.0031 1616 mraid35x - ok
15:27:32.0296 1616 MRxDAV (46edcc8f2db2f322c24f48785cb46366) E:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:27:32.0296 1616 MRxDAV - ok
15:27:32.0656 1616 MRxSmb (83691c30b248034bdddb76b0d6593449) E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:27:32.0812 1616 MRxSmb - ok
15:27:33.0031 1616 Msfs (561b3a4333ca2dbdba28b5b956822519) E:\WINDOWS\system32\drivers\Msfs.sys
15:27:33.0031 1616 Msfs - ok
15:27:33.0250 1616 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) E:\WINDOWS\system32\drivers\MSKSSRV.sys
15:27:33.0250 1616 MSKSSRV - ok
15:27:33.0453 1616 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) E:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:27:33.0468 1616 MSPCLOCK - ok
15:27:33.0640 1616 MSPQM (1988a33ff19242576c3d0ef9ce785da7) E:\WINDOWS\system32\drivers\MSPQM.sys
15:27:33.0656 1616 MSPQM - ok
15:27:33.0859 1616 mssmbios (469541f8bfd2b32659d5d463a6714bce) E:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:27:33.0875 1616 mssmbios - ok
15:27:34.0109 1616 Mtlmnt5 (c53775780148884ac87c455489a0c070) E:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
15:27:34.0156 1616 Mtlmnt5 - ok
15:27:34.0796 1616 Mtlstrm (54886a652bf5685192141df304e923fd) E:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
15:27:35.0265 1616 Mtlstrm - ok
15:27:35.0546 1616 Mup (79a9c030299e8cc04f18d0765155d902) E:\WINDOWS\system32\drivers\Mup.sys
15:27:35.0578 1616 Mup - ok
15:27:35.0843 1616 NDIS (558635d3af1c7546d26067d5d9b6959e) E:\WINDOWS\system32\drivers\NDIS.sys
15:27:35.0906 1616 NDIS - ok
15:27:36.0140 1616 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) E:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:27:36.0140 1616 NdisTapi - ok
15:27:36.0343 1616 Ndisuio (77d9bf86b912104c229d4f0d25be3c12) E:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:27:36.0343 1616 Ndisuio - ok
15:27:36.0578 1616 NdisWan (0b90e255a9490166ab368cd55a529893) E:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:27:36.0609 1616 NdisWan - ok
15:27:36.0812 1616 NDProxy (59fc3fb44d2669bc144fd87826bb571f) E:\WINDOWS\system32\drivers\NDProxy.sys
15:27:36.0828 1616 NDProxy - ok
15:27:37.0031 1616 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) E:\WINDOWS\system32\DRIVERS\netbios.sys
15:27:37.0046 1616 NetBIOS - ok
15:27:37.0296 1616 NetBT (0c80e410cd2f47134407ee7dd19cc86b) E:\WINDOWS\system32\DRIVERS\netbt.sys
15:27:37.0359 1616 NetBT - ok
15:27:37.0609 1616 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) E:\WINDOWS\system32\drivers\Npfs.sys
15:27:37.0609 1616 Npfs - ok
15:27:38.0046 1616 Ntfs (7179ac3f4258aec9627590a842fda1d6) E:\WINDOWS\system32\drivers\Ntfs.sys
15:27:38.0234 1616 Ntfs - ok
15:27:38.0546 1616 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) E:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
15:27:38.0609 1616 NtMtlFax - ok
15:27:38.0812 1616 Null (73c1e1f395918bc2c6dd67af7591a3ad) E:\WINDOWS\system32\drivers\Null.sys
15:27:38.0812 1616 Null - ok
15:27:39.0656 1616 nv (2b298519edbfcf451d43e0f1e8f1006d) E:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:27:40.0296 1616 nv - ok
15:27:40.0500 1616 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) E:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:27:40.0515 1616 NwlnkFlt - ok
15:27:40.0703 1616 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) E:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:27:40.0718 1616 NwlnkFwd - ok
15:27:40.0984 1616 Parport (29744eb4ce659dfe3b4122deb45bc478) E:\WINDOWS\system32\DRIVERS\parport.sys
15:27:41.0015 1616 Parport - ok
15:27:41.0234 1616 PartMgr (3334430c29dc338092f79c38ef7b4cd0) E:\WINDOWS\system32\drivers\PartMgr.sys
15:27:41.0234 1616 PartMgr - ok
15:27:41.0437 1616 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) E:\WINDOWS\system32\drivers\ParVdm.sys
15:27:41.0437 1616 ParVdm - ok
15:27:41.0656 1616 PCI (8086d9979234b603ad5bc2f5d890b234) E:\WINDOWS\system32\DRIVERS\pci.sys
15:27:41.0687 1616 PCI - ok
15:27:41.0859 1616 PCIDump - ok
15:27:42.0078 1616 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) E:\WINDOWS\system32\drivers\PCIIde.sys
15:27:42.0078 1616 PCIIde - ok
15:27:42.0328 1616 Pcmcia (82a087207decec8456fbe8537947d579) E:\WINDOWS\system32\drivers\Pcmcia.sys
15:27:42.0375 1616 Pcmcia - ok
15:27:42.0546 1616 PDCOMP - ok
15:27:42.0734 1616 PDFRAME - ok
15:27:42.0921 1616 PDRELI - ok
15:27:43.0093 1616 PDRFRAME - ok
15:27:43.0281 1616 perc2 - ok
15:27:43.0453 1616 perc2hib - ok
15:27:43.0734 1616 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) E:\WINDOWS\system32\DRIVERS\raspptp.sys
15:27:43.0781 1616 PptpMiniport - ok
15:27:44.0015 1616 PSched (48671f327553dcf1d27f6197f622a668) E:\WINDOWS\system32\DRIVERS\psched.sys
15:27:44.0031 1616 PSched - ok
15:27:44.0281 1616 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) E:\WINDOWS\system32\DRIVERS\ptilink.sys
15:27:44.0296 1616 Ptilink - ok
15:27:44.0468 1616 ql1080 - ok
15:27:44.0656 1616 Ql10wnt - ok
15:27:44.0843 1616 ql12160 - ok
15:27:45.0015 1616 ql1240 - ok
15:27:45.0203 1616 ql1280 - ok
15:27:45.0406 1616 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) E:\WINDOWS\system32\DRIVERS\rasacd.sys
15:27:45.0406 1616 RasAcd - ok
15:27:45.0640 1616 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:27:45.0656 1616 Rasl2tp - ok
15:27:45.0859 1616 RasPppoe (7306eeed8895454cbed4669be9f79faa) E:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:27:45.0875 1616 RasPppoe - ok
15:27:46.0062 1616 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) E:\WINDOWS\system32\DRIVERS\raspti.sys
15:27:46.0062 1616 Raspti - ok
15:27:46.0312 1616 Rdbss (b48441a6dc703ee4c36db14ee51a189c) E:\WINDOWS\system32\DRIVERS\rdbss.sys
15:27:46.0375 1616 Rdbss - ok
15:27:46.0578 1616 RDPCDD (4912d5b403614ce99c28420f75353332) E:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:27:46.0593 1616 RDPCDD - ok
15:27:46.0875 1616 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) E:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:27:46.0953 1616 rdpdr - ok
15:27:47.0218 1616 RDPWD (047bea21274c8a4a233674a76c958c2c) E:\WINDOWS\system32\drivers\RDPWD.sys
15:27:47.0265 1616 RDPWD - ok
15:27:47.0500 1616 RecAgent (e9aaa0092d74a9d371659c4c38882e12) E:\WINDOWS\system32\DRIVERS\RecAgent.sys
15:27:47.0500 1616 RecAgent - ok
15:27:47.0734 1616 redbook (b31b4588e4086d8d84adbf9845c2402b) E:\WINDOWS\system32\DRIVERS\redbook.sys
15:27:47.0765 1616 redbook - ok
15:27:48.0046 1616 rspndr (0e11b35e972796042044bc27ce13b065) E:\WINDOWS\system32\DRIVERS\rspndr.sys
15:27:48.0062 1616 rspndr - ok
15:27:48.0156 1616 SASDIFSV (39763504067962108505bff25f024345) E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
15:27:48.0156 1616 SASDIFSV - ok
15:27:48.0218 1616 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
15:27:48.0218 1616 SASKUTIL - ok
15:27:48.0531 1616 Secdrv (07f7f501ad50de2ba2d5842d9b6d6155) E:\WINDOWS\system32\DRIVERS\secdrv.sys
15:27:48.0609 1616 Secdrv - ok
15:27:48.0843 1616 serenum (a2d868aeeff612e70e213c451a70cafb) E:\WINDOWS\system32\DRIVERS\serenum.sys
15:27:48.0859 1616 serenum - ok
15:27:49.0078 1616 Serial (cd9404d115a00d249f70a371b46d5a26) E:\WINDOWS\system32\DRIVERS\serial.sys
15:27:49.0093 1616 Serial - ok
15:27:49.0312 1616 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) E:\WINDOWS\system32\drivers\Sfloppy.sys
15:27:49.0312 1616 Sfloppy - ok
15:27:49.0515 1616 Simbad - ok
15:27:49.0875 1616 Slntamr (2c1779c0feb1f4a6033600305eba623a) E:\WINDOWS\system32\DRIVERS\slntamr.sys
15:27:50.0015 1616 Slntamr - ok
15:27:50.0250 1616 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) E:\WINDOWS\system32\DRIVERS\Slnthal.sys
15:27:50.0281 1616 SlNtHal - ok
15:27:50.0484 1616 SlWdmSup (db56bb2c55723815cf549d7fc50cfceb) E:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
15:27:50.0484 1616 SlWdmSup - ok
15:27:50.0687 1616 Sparrow - ok
15:27:50.0921 1616 splitter (9bb1dd670cb7505a90fc4e61d4aa8227) E:\WINDOWS\system32\drivers\splitter.sys
15:27:50.0921 1616 splitter - ok
15:27:51.0171 1616 sr (e41b6d037d6cd08461470af04500dc24) E:\WINDOWS\system32\DRIVERS\sr.sys
15:27:51.0203 1616 sr - ok
15:27:51.0515 1616 Srv (5230953c21c811b5fc1ff31ae2b48097) E:\WINDOWS\system32\DRIVERS\srv.sys
15:27:51.0531 1616 Srv - ok
15:27:51.0750 1616 swenum (03c1bae4766e2450219d20b993d6e046) E:\WINDOWS\system32\DRIVERS\swenum.sys
15:27:51.0750 1616 swenum - ok
15:27:51.0968 1616 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) E:\WINDOWS\system32\drivers\swmidi.sys
15:27:51.0968 1616 swmidi - ok
15:27:52.0171 1616 symc810 - ok
15:27:52.0359 1616 symc8xx - ok
15:27:52.0531 1616 sym_hi - ok
15:27:52.0718 1616 sym_u3 - ok
15:27:52.0953 1616 sysaudio (650ad082d46bac0e64c9c0e0928492fd) E:\WINDOWS\system32\drivers\sysaudio.sys
15:27:52.0968 1616 sysaudio - ok
15:27:53.0296 1616 Tcpip (e6b15bcc470953e600ef7aded3cab142) E:\WINDOWS\system32\DRIVERS\tcpip.sys
15:27:53.0421 1616 Tcpip - ok
15:27:53.0625 1616 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) E:\WINDOWS\system32\drivers\TDPIPE.sys
15:27:53.0640 1616 TDPIPE - ok
15:27:53.0843 1616 TDTCP (ed0580af02502d00ad8c4c066b156be9) E:\WINDOWS\system32\drivers\TDTCP.sys
15:27:53.0859 1616 TDTCP - ok
15:27:54.0078 1616 TermDD (a540a99c281d933f3d69d55e48727f47) E:\WINDOWS\system32\DRIVERS\termdd.sys
15:27:54.0093 1616 TermDD - ok
15:27:54.0296 1616 TosIde - ok
15:27:54.0546 1616 Udfs (12f70256f140cd7d52c58c7048fde657) E:\WINDOWS\system32\drivers\Udfs.sys
15:27:54.0578 1616 Udfs - ok
15:27:54.0750 1616 ultra - ok
15:27:55.0062 1616 Update (7b2170ee3d858ce8fbe503904cc9b663) E:\WINDOWS\system32\DRIVERS\update.sys
15:27:55.0187 1616 Update - ok
15:27:55.0437 1616 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) E:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:27:55.0453 1616 usbccgp - ok
15:27:55.0671 1616 usbehci (4a84dd272df62be5739394b3f90f8ae2) E:\WINDOWS\system32\DRIVERS\usbehci.sys
15:27:55.0671 1616 usbehci - ok
15:27:55.0890 1616 usbhub (a874d1629762019ceaf824ad8a8c5660) E:\WINDOWS\system32\DRIVERS\usbhub.sys
15:27:55.0921 1616 usbhub - ok
15:27:56.0156 1616 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:27:56.0156 1616 USBSTOR - ok
15:27:56.0359 1616 usbuhci (654c19d5ca14483be3c2384cddc09468) E:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:27:56.0375 1616 usbuhci - ok
15:27:56.0593 1616 VgaSave (8a60edd72b4ea5aea8202daf0e427925) E:\WINDOWS\System32\drivers\vga.sys
15:27:56.0609 1616 VgaSave - ok
15:27:56.0781 1616 ViaIde - ok
15:27:57.0000 1616 VolSnap (ee4660083deba849ff6c485d944b379b) E:\WINDOWS\system32\drivers\VolSnap.sys
15:27:57.0015 1616 VolSnap - ok
15:27:57.0234 1616 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) E:\WINDOWS\system32\DRIVERS\wanarp.sys
15:27:57.0250 1616 Wanarp - ok
15:27:57.0437 1616 WDICA - ok
15:27:57.0687 1616 wdmaud (0bfa8203b8148fb4e54bc212c41ce497) E:\WINDOWS\system32\drivers\wdmaud.sys
15:27:57.0687 1616 wdmaud - ok
15:27:58.0015 1616 WudfPf (f15feafffbb3644ccc80c5da584e6311) E:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:27:58.0046 1616 WudfPf - ok
15:27:58.0265 1616 WudfRd (28b524262bce6de1f7ef9f510ba3985b) E:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:27:58.0296 1616 WudfRd - ok
15:27:58.0500 1616 XDva346 - ok
15:27:58.0546 1616 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:27:58.0843 1616 \Device\Harddisk0\DR0 - ok
15:27:58.0859 1616 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
15:27:58.0984 1616 \Device\Harddisk1\DR1 - ok
15:27:59.0000 1616 Boot (0x1200) (829f1bc1a820df2f3a0ada54d7d39517) \Device\Harddisk0\DR0\Partition0
15:27:59.0000 1616 \Device\Harddisk0\DR0\Partition0 - ok
15:27:59.0015 1616 Boot (0x1200) (af967b39ecfd235257ebef48c301451e) \Device\Harddisk1\DR1\Partition0
15:27:59.0015 1616 \Device\Harddisk1\DR1\Partition0 - ok
15:27:59.0031 1616 ============================================================
15:27:59.0031 1616 Scan finished
15:27:59.0031 1616 ============================================================
15:27:59.0062 1608 Detected object count: 1
15:27:59.0062 1608 Actual detected object count: 1
15:29:24.0828 1608 Backup copy found, using it..
15:29:24.0890 1608 E:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot
15:29:39.0562 1608 IPSec ( Rootkit.Win32.ZAccess.h ) - User select action: Cure
15:30:12.0031 1592 Deinitialize success

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 20 November 2011 - 05:50 PM

black&gold:

Thanks, it's easier for me if the log is posted like that! Please do this next (from the normal mode if possible):

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
e:\documents and settings\Kcin\Application Data\k0uvvS2bF3m5Q6d
e:\documents and settings\Kcin\Application Data\BwkIVrzONt
e:\program files\58981
e:\documents and settings\Kcin\Application Data\8C558
e:\documents and settings\Kcin\Application Data\wvD3nG4sK7
e:\documents and settings\Kcin\Application Data\h6KfLL9gT
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-
ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 November 2011 - 06:14 PM

Ok thanks, will do.

edit: After I dropped the script onto the CF icon, it opened and I got an update msg that a newer version of combo is available. Is this normal and should I update it? It didnt mention any updates when we used it earlier today.

Edited by black&gold, 20 November 2011 - 06:36 PM.


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 20 November 2011 - 08:58 PM

Yes, that is OK. Please allow it to update.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 21 November 2011 - 02:40 AM

Alrighty, the Combofix log:


ComboFix 11-11-20.02 - Kcin 11/20/2011 22:11:21.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1694 [GMT -5:00]
Running from: e:\documents and settings\Kcin\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Kcin\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\documents and settings\Kcin\Application Data\8C558
e:\documents and settings\Kcin\Application Data\8C558\8981.C55
e:\documents and settings\Kcin\Application Data\BwkIVrzONt
e:\documents and settings\Kcin\Application Data\h6KfLL9gT
e:\documents and settings\Kcin\Application Data\k0uvvS2bF3m5Q6d
e:\documents and settings\Kcin\Application Data\k0uvvS2bF3m5Q6d\AV Security 2012.ico
e:\documents and settings\Kcin\Application Data\wvD3nG4sK7
e:\program files\58981
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-16 04:51 . 2011-11-16 04:51 -------- d-sh--w- e:\documents and settings\NetworkService\IETldCache
2011-11-05 04:32 . 2009-11-19 06:33 79256 ----a-w- e:\windows\system32\npOGPPlugin.dll
2011-11-05 04:32 . 2009-11-19 06:33 271768 ----a-w- e:\windows\system32\OGPIEPlugin.ocx
2011-11-05 04:32 . 2011-11-05 04:44 -------- d-----w- e:\program files\OGPlanet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-20 20:31 . 2004-08-03 22:14 74752 ----a-w- e:\windows\system32\drivers\ipsec.sys
2011-08-31 21:00 . 2010-06-19 18:44 22216 ----a-w- e:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-20_21.35.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-20 21:54 . 2011-11-20 21:54 16384 e:\windows\temp\Perflib_Perfdata_610.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="e:\program files\Steam\Steam.exe" [2011-08-05 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"PRONoMgr.exe"="e:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"IgfxTray"="e:\windows\system32\igfxtray.exe" [2006-04-01 155648]
"HotKeysCmds"="e:\windows\system32\hkcmd.exe" [2006-04-01 126976]
"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"GhostStartTrayApp"="e:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
e:\documents and settings\Kcin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"COMSysApp"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"e:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"e:\\Program Files\\mektek.net\\MTX\\mtx.exe"=
"e:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"e:\\Documents and Settings\\Kcin\\My Documents\\Mekwar4\\Mechwarrior Mercenaries - Mektek Mekpak\\MW4Mercs.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"e:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"e:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"e:\\Program Files\\Steam\\Steam.exe"=
"e:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"e:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58848:TCP"= 58848:TCP:Pando Media Booster
"58848:UDP"= 58848:UDP:Pando Media Booster
.
R1 GhPciScan;GhostPciScanner;e:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 2:11 PM 5632]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;e:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 12:02 PM 116608]
S3 CFcatchme;CFcatchme;\??\e:\docume~1\Kcin\LOCALS~1\Temp\CFcatchme.sys --> e:\docume~1\Kcin\LOCALS~1\Temp\CFcatchme.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\e:\windows\system32\drivers\mbamswissarmy.sys --> e:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 npggsvc;nProtect GameGuard Service;e:\windows\system32\GameMon.des -service --> e:\windows\system32\GameMon.des -service [?]
S3 XDva346;XDva346;\??\e:\windows\system32\XDva346.sys --> e:\windows\system32\XDva346.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - e:\documents and settings\Kcin\Application Data\Mozilla\Firefox\Profiles\s1vv91m2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Java Quick Starter: jqs@sun.com - e:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-20 22:22
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="e:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\WININET.dll
.
Completion time: 2011-11-20 22:25:44
ComboFix-quarantined-files.txt 2011-11-21 03:25
ComboFix2.txt 2011-11-20 21:41
ComboFix3.txt 2011-07-31 23:51
.
Pre-Run: 69,743,484,928 bytes free
Post-Run: 69,734,264,832 bytes free
.
- - End Of File - - 4BA6EAEB866F921DAE8566153E7809B6


Now the Malware Bytes log. It found just one item of ad-ware crap. I imagine it's some file that either randomly found it's way into a superfluous add-on I downloaded for a game or something that was packed with it upon download. It's for a game I haven't played in months though so it's odd that it would just show up now.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8205

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/21/2011 2:21:08 AM
mbam-log-2011-11-21 (02-21-08).txt

Scan type: Full scan (E:\|)
Objects scanned: 309745
Time elapsed: 1 hour(s), 22 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
e:\documents and settings\Kcin\my documents\dawn of war soulstorm addons\july11b&bs\aw_dow_badgepack1.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 21 November 2011 - 05:46 PM

black&gold:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 21 November 2011 - 06:51 PM

Well the PC seems to be running fine now. The ping.exe process ceased appearing in my task manager since the combo fixes and the av2012 program is gone from my start menu. The PC has not restart on it's own again for no reason (since the one and only time that it did that during this incident). And the great news is that I did a quick google search and so far no redirects. I realize though that absence of symptoms doesn't necessarily mean that my machine is fully clean yet. Still, I fortunately have not experienced the inability to connect to the net with this PC that other users with posts here concerning zeroaccess rootkits have. I saw several posts mentioning that they had problems with their IP even after supposedly getting rid of zeroaccess with combofix. But it seems in all of those cases the users used combofix on their own without the removal team's assistance.

Going to update Java and run that ESET now.

#14 black&gold

black&gold
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 22 November 2011 - 12:06 AM

Okay, the eset finished. Not sure if we're out of the woods quite yet. I'm not sure what those trojans listed with kill box mean. I haven't tried to use killbox during this incident. However, once in the past I tried using killbox to stop some processes before I came to this site for help. Not sure if this is leftover from then or what this means but here are the results of the scan. Scan lasted approx 4 and 1/2 hours. Found these 4 things.

C:\Documents and Settings\Mark-on\Desktop\DOW extras\War 40k stuff\jZipV1c.exe multiple threats
E:\!KillBox\avmeter32.exe Win32/TrojanDownloader.Tracur.D trojan
E:\!KillBox\avmeter32.exe( 1) Win32/TrojanDownloader.Tracur.D trojan
E:\!KillBox\avmeter32.exe( 2) Win32/TrojanDownloader.Tracur.D trojan

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 22 November 2011 - 02:36 PM

black&gold:

This will clean up those ESET detections:

Posted Image Open notepad and copy/paste the text in the quotebox below into it:

@echo off
del "C:\Documents and Settings\Mark-on\Desktop\DOW extras\War 40k stuff\jZipV1c.exe"
rd "E:\!KillBox"
del /Q %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on fix.bat & allow it to run.

Posted Image You need to update your OS. Windows XP SP2 is no longer supported, thus you are not receiving critical updates

Download the latest Windows XP service pack from the Microsoft Download Center. This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details.aspx?FamilyID=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Let me know once you have this completed and we can finish cleaning your PC up.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users