Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovery after ZAccess, ping, browser redirects, etc.


  • This topic is locked This topic is locked
53 replies to this topic

#1 banichi

banichi

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 01 December 2011 - 03:14 PM

Posting here, per Broni's instructions after posting narrative in Am I Infected? forum, here.

The computer in question is a Dell Inspiron 1720 laptop, 2 gHz CoreDuo T7300 CPU, 4 Gb RAM, running 32-bit Vista Ultimate SP2, automatic Microsoft Update (Vista and MS apps), McAfee AV and Firewall (automatic updates). Used Norton Save and Restore for weekly complete backups (monthly restore point sets) and daily file/folder backups to external USB HD.

What Happened:
I was working a week ago (11/24) when Cloud AV 2012 suddenly popped up. No alerts of any kind from McAfee. Everytime I killed the process, it relaunched.

What I Did:
Googled 'Cloud AV 2012' and was redirected to what appeared to be a Trend Micro page for 'Fake AV Remover' which would handle fake antivirus packages including Cloud AV 2012. I downloaded and ran it. Cloud AV 2012 executable stopped but directories and contents were not removed.

Then, I noticed that I had a browser redirect problem in both MSIE 9 and current Firefox. I also noticed that ping.exe was running constantly with excessive resources, and the job kept relaunching when I killed the process. Full scan with Norton revealed no problems. Further research mentioned Malwarebytes, and repeated references to stopping the browser/Google redirect with TDSSKiller and that ComboFix was about the only thing detecting a problem with ping.exe. Spoke with a local tech friend who advised to run MBAM to clean up after Cloud AV 2012. MBAM found four threats and removed them (can't get to that log, now, but it was three registry entries and the 'Fake AV Remover' based on heuristics). Am now wondering if the Fake AV Remover was a spoofed Trend Micro page? The executable is still on the laptop but I can't get to it.

After running MBAM, ping.exe was still running and still had browser redirects. Full scans by MBAM (constantly updated) and McAfee continued to reveal nothing, and were running about 14 hours, each. Spoke with my friend, again, who advised to run TDSSKiller for browser redirects and ComboFix for ping.exe problem. McAfee was frequently alerting on Backdoor variant and Generic.Downloader variant trojans. Ping.exe was periodically failing, shutting down, and restarting.

I downloaded from Kaspersky and ran TDSSKiller, which found Rootkit.Win32.ZAccess.k (1 file - csc.sys). It appeared to cure it upon restart. Browser redirects had stopped. I didn't check ping at the moment because I was about to run ComboFix for that. I started ComboFix before finding this site, much to my regret. While ComboFix was running on the laptop, I was browsing this site and realized I'd probably made a mistake. ComboFix appeared to be running for 12 hours, during which time I did not touch the machine. After about 4 hours, McAfee popped up an alert that the machine was at risk because the firewall and AV were disabled (hah!), but I didn't acknowledge it (not wanting to use the keyboard or touchpad). After about 3 more hours, a Windows alert popped up that a freeware download of XCACLS had stopped running and was shutdown. I didn't acknowledge that box, either.

After ComboFix had been stuck in the initial scan for 12 hours and hadn't proceeded even to Stage 1, I got on chat, here, and Lurch suggested I stop ComboFix and start a thread in this forum. I stopped ComboFix and restarted. First thing that happened was an apparent Windows alert that the Recycle Bin was corrupt and did I want to flush the bin and correct the problem? Stupidly, I clicked OK. Then I noticed that the McAfee icon in the system tray was unresponsive, but System Security showed that the firewall and AV were active. I rebooted into Safe Mode with Network, and attempted to run TDSSKiller, and found that it couldn't create a log and couldn't run a .sys file, running as me. I tried to run ESET on-line scan, and got a fake McAfee message (window was wrong) that there was a security problem with a .cab file ESET was trying to download. I deleted existing copies of MBAM and TDSSKiller and attempted to download fresh copies, but couldn't download anything - dialogues were blocked (red X) and couldn't Save As (nothing happened). I am now wondering if, after TDSSKiller restarted the machine, part of the rootkit remained resident in low memory, and that what was needed was a shutdown and cold boot.

Where things stand:
The laptop boots and I can see things, but:
1. Can't get to or do anything with McAfee. System Security shows the AV and firewall as on, and I can't disable them.
2. All Windows System Restore points are gone, except for one with a timestamp about the same time as the XCACLS failure.
3. My write and execute privileges have been altered or revoked. I have no access to some entire directory structures, though I can see them in Explorer.
4. Unable to execute anti-malware, anti-rootkit and anti-virus software and scans.
5. Unable to download or save files to the internal hard drive.
6. Online scanning/cleaning tools are blocked.
7. csc.sys - the file found by TDSSKiller - is still present.

I was able to use a USB flash stick to run DSS and GMER (attached). DSS log follows:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Admin at 5:22:19 on 2011-12-01
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3581.2561 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Users\Admin\smp-fah\smpd.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070906
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070906
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070906
uInternet Settings,ProxyServer = 165.228.133.10:3128
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110729021952.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\users\admin\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: MasterCook: Select Image - c:\mastercook 9\web\MCIEContext.hta
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://cam15001.miemasu.net/kxhcm10.ocx
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553530000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C7DE6E16-35F1-4F65-9291-09F2E835F93A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F97559B6-187C-44FA-B5C2-EE00FE63C42E} : DhcpNameServer = 10.61.32.1 1.1.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\z42p4y6l.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/|http://www.dogforum.net/|http://forum.sausagemaking.org/|http://wedlinydomowe.pl/en/index.php
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\users\admin\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\admin\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\admin\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-30 387480]
R1 dvdfabio;dvdfabio;c:\windows\system32\drivers\dvdfabio.sys [2010-3-10 12672]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-7-30 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-7-30 165032]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-11-2 73728]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-30 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-30 141792]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\users\admin\smp-fah\smpd.exe [2008-2-11 1135616]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-30 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-30 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-30 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-30 314088]
R3 vdrive;vdrive;c:\windows\system32\drivers\vdrive.sys [2010-3-10 36736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 271480]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2010-5-31 23096]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-5 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-30 84488]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2008-12-10 182528]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== File Associations ===============
.
.txt=UltraEdit.txt
.
=============== Created Last 30 ================
.
2011-12-01 10:18:49 -------- d-----w- c:\users\admin\appdata\local\NPE
2011-12-01 10:18:48 -------- d-----w- c:\programdata\Norton
2011-11-29 00:20:33 -------- d-s---w- C:\ComboFix
2011-11-28 04:52:44 184320 ----a-w- c:\windows\MBR.exe
2011-11-28 04:52:43 98816 ----a-w- c:\windows\sed.exe
2011-11-28 04:52:43 518144 ----a-w- c:\windows\SWREG.exe
2011-11-28 04:52:43 256000 ----a-w- c:\windows\PEV.exe
2011-11-27 09:56:54 -------- d-----w- c:\users\admin\appdata\local\{9E52F53E-51FF-4112-B60D-410E8ED961B9}
2011-11-27 09:56:23 -------- d-----w- c:\users\admin\appdata\local\{A3CB45E7-5630-4443-9AF0-64BF4AA24311}
2011-11-27 06:46:02 -------- d-----w- c:\users\admin\appdata\local\Adobe
2011-11-27 04:53:32 -------- d-----w- c:\users\admin\appdata\local\{A7776411-770D-4667-97AA-88BF082D3759}
2011-11-25 18:13:35 -------- d-----w- c:\users\admin\appdata\local\{A8531312-8860-44FD-96CE-0C518D2C37BA}
2011-11-25 18:13:16 -------- d-----w- c:\users\admin\appdata\local\{4D89182E-C4C9-4169-A867-FB06E6D350DC}
2011-11-25 06:37:01 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-11-25 06:36:54 -------- d-----w- c:\programdata\Malwarebytes
2011-11-25 06:36:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 06:36:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 05:01:43 -------- d-----w- c:\users\admin\appdata\local\{03406536-D9F2-4924-9149-6A31324E2413}
2011-11-25 05:01:09 -------- d-----w- c:\users\admin\appdata\local\{4394B9A7-66EF-43EC-83E7-EB145B427DE7}
2011-11-24 04:48:03 -------- d-----w- c:\users\admin\appdata\local\{6415FD9B-78EA-4DCC-BF18-70782A01EE09}
2011-11-24 04:47:40 -------- d-----w- c:\users\admin\appdata\local\{773D0D9C-1AFA-4414-A143-21D758415D2F}
2011-11-23 16:47:29 -------- d-----w- c:\users\admin\appdata\local\{ABBA98F6-9C4A-4A99-B01D-1A61C387CFE6}
2011-11-23 16:47:19 -------- d-----w- c:\users\admin\appdata\local\{9C601D72-51B2-4523-9F45-2A0D3B6C3F5E}
2011-11-23 05:39:37 -------- d-----w- c:\users\admin\appdata\roaming\KastorFreeAudioConverter
2011-11-23 05:39:37 -------- d-----w- c:\program files\Kastor Free Mp3 M4a Wma Converter
2011-11-23 04:47:04 -------- d-----w- c:\users\admin\appdata\local\{61ADE7C3-D31B-4FAB-BFE9-56DF6EC3D7E4}
2011-11-23 04:46:43 -------- d-----w- c:\users\admin\appdata\local\{89E1EDB3-6426-484B-9738-7C61BF593AF9}
2011-11-22 16:46:32 -------- d-----w- c:\users\admin\appdata\local\{932A4ED9-957E-44C6-9A2B-120D0FF2C693}
2011-11-22 16:46:10 -------- d-----w- c:\users\admin\appdata\local\{6AB8DDFF-8851-4718-A54F-C6BE5526C03D}
2011-11-22 04:45:46 -------- d-----w- c:\users\admin\appdata\local\{C4D3D48C-58AE-4854-A9EB-BEAB5DFB131B}
2011-11-21 16:45:16 -------- d-----w- c:\users\admin\appdata\local\{C1E6A4DE-81C5-4AC4-9383-15560CB9D22F}
2011-11-21 16:45:06 -------- d-----w- c:\users\admin\appdata\local\{38A3CDF1-3F0B-4624-B372-CD9AD6CD5545}
2011-11-20 21:12:35 -------- d-----w- c:\users\admin\appdata\local\{D9FED80E-0D81-4968-8C3A-AE495CC7FBE3}
2011-11-20 21:12:08 -------- d-----w- c:\users\admin\appdata\local\{5C744DEF-B955-4378-9052-EAF003464CA6}
2011-11-20 04:25:20 -------- d-----w- c:\users\admin\appdata\local\{37954B11-003A-4C93-8C04-C567662A445D}
2011-11-20 04:25:02 -------- d-----w- c:\users\admin\appdata\local\{2BDD4146-255D-455A-9B13-F0C729C0536B}
2011-11-19 05:09:15 -------- d-----w- c:\users\admin\appdata\local\{AC71CF27-1D8A-4B65-BC70-E129DD9DBD04}
2011-11-19 05:08:54 -------- d-----w- c:\users\admin\appdata\local\{281C1CDD-6D2D-4749-B0A0-D1238FE9A5DA}
2011-11-18 17:08:42 -------- d-----w- c:\users\admin\appdata\local\{4C652B5E-E0B8-49DC-BAF3-C1C2FACA0A21}
2011-11-18 17:08:21 -------- d-----w- c:\users\admin\appdata\local\{7D2119BA-74B3-4CD7-95EB-4E2C15DDE9D3}
2011-11-18 05:07:59 -------- d-----w- c:\users\admin\appdata\local\{C3741B38-F779-4A06-9200-43153AD7E441}
2011-11-18 05:07:50 -------- d-----w- c:\users\admin\appdata\local\{5592D050-F2F6-4447-B7AA-56AABE1EFA0F}
2011-11-17 17:07:27 -------- d-----w- c:\users\admin\appdata\local\{0919CCF3-6B93-4EB8-8A0A-EED70B7CAC97}
2011-11-17 17:06:54 -------- d-----w- c:\users\admin\appdata\local\{D2DE027C-7682-4FEF-A6D5-E39611173917}
2011-11-17 04:03:58 -------- d-----w- c:\users\admin\appdata\local\{016958C3-BB83-464C-8C03-BB3BC6B84920}
2011-11-17 04:03:35 -------- d-----w- c:\users\admin\appdata\local\{517ABD4A-9AB1-4AE0-9F5A-2F7CF33A70E2}
2011-11-16 16:03:24 -------- d-----w- c:\users\admin\appdata\local\{F677FA07-F19D-4ECE-AAF0-B84473D727A3}
2011-11-16 16:03:03 -------- d-----w- c:\users\admin\appdata\local\{DF4B4D2E-2E40-4883-8480-B45A97D46E18}
2011-11-16 05:27:27 -------- d-----r- c:\program files\Skype
2011-11-16 04:02:52 -------- d-----w- c:\users\admin\appdata\local\{D2D139DD-9925-4179-BBC5-9B8BC0B7AF9E}
2011-11-16 04:02:31 -------- d-----w- c:\users\admin\appdata\local\{057AA2EC-AA84-4B73-9604-69C1D9425789}
2011-11-15 16:02:02 -------- d-----w- c:\users\admin\appdata\local\{5AE0F704-F9CD-499B-9600-2848D5FF4825}
2011-11-15 16:01:39 -------- d-----w- c:\users\admin\appdata\local\{5B2E3583-D131-4103-B5F4-6ABB21C5834A}
2011-11-14 01:28:16 -------- d-----w- c:\users\admin\appdata\local\{11689AA5-7C22-4C70-AD05-10355611A357}
2011-11-14 01:28:02 -------- d-----w- c:\users\admin\appdata\local\{3EE36949-4F3F-40D3-95DC-2A9ED762C5F6}
2011-11-13 05:39:27 -------- d-----w- c:\users\admin\appdata\local\{EB37760B-4160-4A05-A048-EA14153DCD58}
2011-11-13 05:39:05 -------- d-----w- c:\users\admin\appdata\local\{CC3E84F7-FDB1-40E0-B49F-CEB3D6E20AFF}
2011-11-12 17:38:54 -------- d-----w- c:\users\admin\appdata\local\{F78582BB-FCC5-4362-A295-857EF487A6E1}
2011-11-12 17:38:33 -------- d-----w- c:\users\admin\appdata\local\{420FA8F4-BA66-4E2A-A3D8-3A4AE2947C3C}
2011-11-12 05:38:22 -------- d-----w- c:\users\admin\appdata\local\{04F3FB9D-A073-4363-863A-2AE6AB666D8B}
2011-11-12 05:38:00 -------- d-----w- c:\users\admin\appdata\local\{E7A41BD6-407E-40F6-BF8D-117F39A756E2}
2011-11-11 17:37:48 -------- d-----w- c:\users\admin\appdata\local\{C46D4428-F3A9-4424-A1E5-987A94020800}
2011-11-11 17:37:27 -------- d-----w- c:\users\admin\appdata\local\{D4778AB9-5EFB-45D3-8177-DB1C5797520C}
2011-11-11 05:37:14 -------- d-----w- c:\users\admin\appdata\local\{D66A7A8C-2E74-424E-9E75-688B91E1201F}
2011-11-11 05:36:53 -------- d-----w- c:\users\admin\appdata\local\{55EE3104-ACD0-423E-98E0-0A0A99DF7E83}
2011-11-10 17:36:40 -------- d-----w- c:\users\admin\appdata\local\{9BD7D531-6558-4546-88D8-0A9326FC60A8}
2011-11-10 17:35:23 -------- d-----w- c:\users\admin\appdata\local\{06C746D9-AA37-4683-B935-3DB0B4153934}
2011-11-10 05:24:24 -------- d-----w- c:\users\admin\appdata\local\{D3835FC4-1E42-4ED5-8C8D-1AE046231DC9}
2011-11-10 05:24:03 -------- d-----w- c:\users\admin\appdata\local\{99627480-812B-4E77-A017-36A654A05C05}
2011-11-09 17:23:49 -------- d-----w- c:\users\admin\appdata\local\{D88ADB87-A7D8-4156-ADD5-175939DF152A}
2011-11-09 17:23:27 -------- d-----w- c:\users\admin\appdata\local\{E078D6DA-0B2A-4204-852E-4D14C9BE9153}
2011-11-09 15:36:09 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-09 15:36:07 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 15:36:03 707584 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 05:23:14 -------- d-----w- c:\users\admin\appdata\local\{EACAD051-9F4C-4CF5-8214-A6FA1552A442}
2011-11-09 05:22:52 -------- d-----w- c:\users\admin\appdata\local\{AFA0C9A7-AB79-45FB-8E43-D6944E50C0EB}
2011-11-08 17:22:36 -------- d-----w- c:\users\admin\appdata\local\{B4DAA066-5F32-46A6-B7D4-7828217EFEC4}
2011-11-08 17:22:00 -------- d-----w- c:\users\admin\appdata\local\{DDFF0DC7-E354-4EBC-9FFE-4F352CBF1A19}
2011-11-07 16:06:51 -------- d-----w- c:\users\admin\appdata\local\{A4F3D3CC-6105-4FF4-B998-7B35CB2A16BE}
2011-11-07 16:06:27 -------- d-----w- c:\users\admin\appdata\local\{46208564-4642-47C4-B249-79034BE5FE19}
2011-11-06 00:54:13 -------- d-----w- c:\users\admin\appdata\local\{CC995937-E8F8-4167-9B33-6C4D0418C820}
2011-11-04 18:56:13 -------- d-----w- c:\users\admin\appdata\local\{0385BD8D-E7A6-4E1A-B4FD-3AABEB1BFD6D}
2011-11-04 18:55:51 -------- d-----w- c:\users\admin\appdata\local\{DAA11B14-5D57-4495-B71D-8C5013C8D887}
2011-11-04 04:07:28 -------- d-----w- c:\users\admin\appdata\local\{509C4C03-B86A-48AB-A190-AAAC069F5B8B}
2011-11-04 04:07:06 -------- d-----w- c:\users\admin\appdata\local\{6D2FE85A-4B73-4F1E-9645-4794B7005E27}
2011-11-03 16:06:35 -------- d-----w- c:\users\admin\appdata\local\{2C4380A0-36B4-4B29-B986-4ADA6B238409}
2011-11-03 16:06:04 -------- d-----w- c:\users\admin\appdata\local\{2573F7DA-FDA7-4EAF-9098-B215CD2B8AF0}
2011-11-02 21:55:10 -------- d-----w- c:\users\admin\appdata\local\{E47272A1-D469-42FA-ACBC-69ADA750181C}
.
==================== Find3M ====================
.
2011-11-28 02:36:47 351744 ----a-w- c:\windows\system32\drivers\csc.sys
2011-11-19 06:59:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2010-10-30 03:57:34 1856512 ----a-w- c:\program files\Default Programs Editor.exe
.
============= FINISH: 5:24:21.35 ===============

The machine had two external hard drives attached throughout the infection. Those have been disconnected. I'll need advice on how to ensure those are not/no longer infected, too. I can attach those to the desktop to clean them, but want to be sure the desktop is adequately protected.

ETA: I just recalled that somewhere along the way, while I still had access, I noticed that the hosts file had been deleted. I replaced it with a new hosts file (just localhost), but that had no effect on the browser redirects.

Attached Files


Edited by banichi, 01 December 2011 - 06:32 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 06 December 2011 - 03:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430269 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 06 December 2011 - 07:58 PM

I do still need help. The laptop has been off and I have taken no additional steps since providing the DDS and GMER logs, above, as instructed by Orange Blossom. The logs above represent the most recent state of my laptop. They were run from a flash drive, since I could neither download nor store them on the C: drive.

I do not appear to be able to save anything to the laptop's desktop. I cannot install updated copies of Malwarebytes, TDSSKiller, ComboFix, GMER, or on-line scanner. I cannot access McAfee to disable either the AV or the firewall. I do appear to be able to run things from the flash drive, so I might be able to load a copy of taskmgr onto the flash drive and kill processes, from there. I cannot tell if the apparent constraints on my permissions are software-based or actual. I do have a bootable Norton Ghost Symantec Recovery Disk from another machine that may be able to read my backups and restore the disk to a point in time prior to everything blowing up. I also have a Norton Bootable Recovery Disk with various Symantec AV tools from another machine that may allow for a clean boot. If I cannot recover the laptop, then I will need to remove the drive, dock it, and mount it as an external drive on the other machine and clean it from there, so I can recover data from it, and begin the process of rebuilding the machine.

I could run another log, but nothing has changed since the machine was shutdown after running the last set, and it would have to be run from the flash drive without being able to disable the anti-virus and anti-malware software.

OS details are provided in the original post and logs, above.

No original disks were provided with my Dell laptop. I have not been able to locate the reinstall disks, which were moved while I was out of town on an extended contract. As stated, I do have complete backups which might still be viable, if they were not corrupted by the viruses, and the drives were not infected. That remains to be determined.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:28 AM

Posted 07 December 2011 - 10:07 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 07 December 2011 - 02:21 PM

Hi, Gringo. Thanks for volunteering to help me!

...Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<...

I'm on a known clean machine, for communications and downloading. FYI, the second link (to the techsupportforum.com thread) triggered the Norton 360 v5 Firewall on this computer, with a "Fake App Attack: Fake AV Redirect 27" attempted intrusion alert. Just so you know. I have details in my log, if your team needs them; regardless, the second link to information on how to disable security software may no longer be reliable.

When I started this thread, I was being prevented from accessing McAfee to do anything with the AV and Firewall, and I was being prevented from downloading and installing ComboFix, but I will try to come up with a way of doing this. Even Safe Mode didn't appear to disable McAfee, before, but I'll give that another try. Attempting to download and reinstall ComboFix didn't work from Safe Mode with Networking, either, but again, I'll give it another try, and also try to come up with a way of using the flash drive to somehow accomplish this.

Any suggestions will be welcome.

- Banichi

Edited by banichi, 07 December 2011 - 02:37 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:28 AM

Posted 07 December 2011 - 02:43 PM

Hello


you may have to uninstall McaFee to be able to run some of our tools


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 07 December 2011 - 04:22 PM

Hello

Just as I am not able to start the McAfee console (normal and Safe Mode), I am not able to uninstall McAfee Security Center. Uninstall runs for a second and then just goes away (normal and Safe Mode). No messages or feedback. I also tried uninstalling via Piriform's CCleaner uninstall tool, but I suspect that all it does is use the Windows uninstall utility, because it does the same thing - uninstall runs for a second and stops.

Attempting to download ComboFix directly to the laptop does not work. When I click on the download button at bleepingcomputer, the tab for it in the browser closes. No messages or feedback.

I DO appear to be able to run ComboFix from the flash drive in Safe Mode, but I get warning messages that McAfee AV and Firewall are running and will cause unreliable results or damage the computer if I proceed with ComboFix.

- Banichi

#8 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 07 December 2011 - 06:19 PM

Hello,

With the Windows Installer apparently not working, I downloaded the McAfee Complete Product Removal tool (MCPR.exe), and attempted to run that from the flash drive in Safe Mode and a warning dialogue popped up with the following message:

"NSIS Error!

The installer you are trying to use is corrupted or incomplete.
This could be the result of a damaged disk, a failed download, or a virus.

You may want to contact the author of this installer to obtain a new copy.

It may be possible to skip this check by using the /NCRC command line switch (NOT RECOMMENDED)."




The process is not allowed to run. MCPR.exe runs just fine from this same flash drive on a clean machine.

#9 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 December 2011 - 09:31 PM

Hello,

So...should I run ComboFix even if I can't disable McAfee?

- Banichi

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:28 AM

Posted 08 December 2011 - 09:33 PM

Hello


sorry yes go ahead and run it
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 December 2011 - 09:35 PM

Thanks, and no problem. I'll give it a shot in a few minutes.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:28 AM

Posted 08 December 2011 - 09:47 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 December 2011 - 10:35 PM

Ran ComboFix as Administrator from Safe Mode off the flash drive with, perhaps, some success, although I don't know what to trust of system messages at this point.

At several points (some unidentified and three steps) messages to the effect of "Access denied. Administrator privileges required to complete these tasks" displayed, but the cmd window closed and was replaced by the log before I could copy the stream of text so you could see it. The cmd window showed as running as Administrator, at the time. I have not rebooted, yet.

Log follows:

ComboFix 11-12-06.02 - Admin 12/08/2011 22:06:43.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3581.3108 [GMT -5:00]
Running from: G:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Admin\AppData\Local\{70165242-558B-4255-88F7-F9B757190A32}
c:\users\Admin\AppData\Local\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome.manifest
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\chrome\content\overlay.xul
c:\users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\{70165242-558B-4255-88F7-F9B757190A32}\install.rdf
c:\users\Admin\AppData\Roaming\inst.exe
c:\users\Admin\AppData\Roaming\Local
c:\users\Admin\AppData\Roaming\Local\Temp\DDM\Settings\.ddr
c:\users\Admin\AppData\Roaming\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr
c:\users\Admin\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\users\Admin\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx
c:\users\Admin\Documents\~WRL0005.tmp
c:\users\Admin\GoToAssistDownloadHelper.exe
c:\windows\system32\Install.bat
c:\windows\system32\readme.rtf
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-09 03:17 . 2011-12-09 03:17 -------- d-----w- c:\users\Admin\AppData\Local\temp
2011-12-09 03:17 . 2011-12-09 03:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-09 03:17 . 2011-12-09 03:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-12-01 10:18 . 2011-12-01 10:19 -------- d-----w- c:\users\Admin\AppData\Local\NPE
2011-12-01 10:18 . 2011-12-01 10:18 -------- d-----w- c:\programdata\Norton
2011-11-27 06:46 . 2011-11-27 06:46 -------- d-----w- c:\users\Admin\AppData\Local\Adobe
2011-11-25 06:37 . 2011-11-25 06:37 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2011-11-25 06:36 . 2011-11-25 06:36 -------- d-----w- c:\programdata\Malwarebytes
2011-11-25 06:36 . 2011-11-25 06:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 06:36 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 05:39 . 2011-11-23 05:40 -------- d-----w- c:\users\Admin\AppData\Roaming\KastorFreeAudioConverter
2011-11-23 05:39 . 2011-11-23 05:39 -------- d-----w- c:\program files\Kastor Free Mp3 M4a Wma Converter
2011-11-16 05:44 . 2011-11-16 05:44 -------- d-----w- c:\program files\Common Files\Skype
2011-11-16 05:27 . 2011-11-19 07:03 -------- d-----r- c:\program files\Skype
2011-11-15 08:53 . 2011-11-15 08:53 -------- d-----w- c:\users\Admin\AppData\Roaming\Logitech
2011-11-09 15:36 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-09 15:36 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 15:36 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 02:36 . 2009-08-20 08:28 351744 ----a-w- c:\windows\system32\drivers\csc.sys
2011-11-19 06:59 . 2011-10-17 05:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06 . 2011-03-16 20:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-30 03:57 . 2010-11-08 08:34 1856512 ----a-w- c:\program files\Default Programs Editor.exe
2011-11-10 03:12 . 2011-04-28 05:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-06-17 14:53 . 2008-08-13 07:03 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 18:01 . 2010-07-30 13:59 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2008-05-07 2037088]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-17 30192]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"PlusService"="c:\program files\Yuna Software\Messenger Plus!\PlusService.exe" [2011-09-20 801792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-31 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-06-01 00:34 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 dvdfabio;dvdfabio;c:\windows\system32\drivers\dvdfabio.sys [2011-07-06 12672]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-04-14 64584]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-04-14 165032]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-04-14 141792]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\users\Admin\smp-fah\smpd.exe [2007-01-31 1135616]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2008-05-07 3425632]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [2009-08-20 185640]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2010-05-21 23096]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-17 30192]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2007-12-02 47360]
R3 SaiH0461;SaiH0461;c:\windows\system32\DRIVERS\SaiH0461.sys [2006-08-08 182528]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-31 717296]
S3 vdrive;vdrive;c:\windows\system32\DRIVERS\vdrive.sys [2011-07-06 36736]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - DLABMFSM
*Deregistered* - DLABOIOM
*Deregistered* - DLADResM
*Deregistered* - DLAIFS_M
*Deregistered* - DLAOPIOM
*Deregistered* - DLAPoolM
*Deregistered* - DLARTL_M
*Deregistered* - DLAUDF_M
*Deregistered* - DLAUDFAM
*Deregistered* - DRVNDDM
*Deregistered* - mferkdk
*Deregistered* - mfesmfk
*Deregistered* - MPFP
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 01:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 18:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2231091182-2183943481-13651723-1003Core.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 10:24]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2231091182-2183943481-13651723-1003UA.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-25 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070906
uInternet Settings,ProxyServer = 165.228.133.10:3128
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: MasterCook: Select Image - c:\mastercook 9\Web\MCIEContext.hta
TCP: DhcpNameServer = 192.168.1.1
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://cam15001.miemasu.net/kxhcm10.ocx
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z42p4y6l.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/|http://www.dogforum.net/|http://forum.sausagemaking.org/|http://wedlinydomowe.pl/en/index.php
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-68068677.sys
MSConfigStartUp-pHHH66sWK7EL - c:\users\Admin\AppData\Roaming\dwme.exe
AddRemove-Expert System Builder - c:\windows\system32\G
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 22:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,dd,85,53,e5,3f,cd,4f,a6,b5,d6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,dd,85,53,e5,3f,cd,4f,a6,b5,d6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12A5109E-F9A9-4A44-B849-2B6B245FC5E"*]
@="MpsVersion Class"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-08 22:20:56
ComboFix-quarantined-files.txt 2011-12-09 03:20
.
Pre-Run: 53,959,217,152 bytes free
Post-Run: 53,885,415,424 bytes free
.
- - End Of File - - 6A06B634B7EB90DCD2F5A5B0E6563ADF

Edited by banichi, 08 December 2011 - 10:37 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:28 AM

Posted 08 December 2011 - 10:55 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 banichi

banichi
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 08 December 2011 - 11:17 PM

I haven't been able to save anything to the desktop and ran this from the flash drive. I'll restart and see if I can install ComboFix to the desktop and run that way; otherwise, I'll try to accomplish this from the flash drive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users