Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infection blocked McAfee, possibly Generic exploit!ka and others


  • This topic is locked This topic is locked
18 replies to this topic

#1 Spike2011

Spike2011

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 14 December 2011 - 11:10 PM

I have a Dell 8400, windows XP home, McAfee viruscan, adaware, spybot.
Had a series of infections starting with McAfee finding and deleting an infection. I had updated McAfee the day before. Subsequently, each time I tried to update McAfee I would get a ddl file error (The ordinal 1112 could not be located in the dynamic link library WSOCK32.dll) and could not update. McAfee “on access scan” would not turn on regularly.
Scan found XSLT.Class and reported clean failed and found Generic exploit!ka .
I tried to use recovery console as explained on McAfee website with XP CD but the CD was SP2 and I had upgraded to SP3, so it would not work.
AdAware scan found Trojan.win32.Generic!BT.
Another McAfee scan found Adaware open candy.dll, Generic downloader. XPGFK six times.
I tried to repair with sfc scannow but it would not repair files because my disk was SP2 and I am running SP3.
Ran McAfee in safe mode found artemis A7701557ICFO, crop.class, zoom.class, image.class, mulitzoom.class,zoom.class.
Made boodable disk from AVG to scan when OS not running and found:
Windows/system32/drivers/acpi.sys Trojan horse Agent3.wjv Object is white listed (critical system file) and Windows/system32/dirvers/serial.sys Trojanhorse Agent_r.ats. Object is white listed (critical system file).

Used Acronis to restore my C: windows files.
Reran AVG scan and now clean.
Ran malaware scan-OK
Ran stinger-nothing found
Uninstalled and reinstalled McAfee, scan found 14 detections in C: documents and settings\network service\app data\sun\Java\deployment cache\6.0… :
zoom.class detected as JV/mail
morale.class,
crop class detected as Generic exploit KJ
multizoom

Checked java was up to date, tried to clear cache-not sure if successful.

Updated and reran McAfee with adaware off, Ran Get Susp.exe. found one suspicious file, windows installer exe file. I sent to automatic virus service but got reply could not confirm as virus.
Ran malawarebytes, found aretmis in system restore (this was in a file with my prior hard drive information in a different partition, not my running os) and cleaned.
Ren a super antispyware in windows safe mode, found 187 tracking cookies.
Ran Dr. web cureit in safe mode found nothing.
Ran malawarebytes found nothing.
Ran rootkit buster from Titanium, found issues with my acronis backup, couldn’t repair, did not sound relevant.
Reran windows safety scanner (msert) in safe mode, no detections
Ran windows defender, no unwanted or harmful software detected.
Learned to make slipstream disk with windows sp3, able to run sfc /scannow. Ran ok, and completed. Seemed to read the slipstreamed disk ok.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by John at 20:44:12 on 2011-12-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1401 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111206102159.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
mRun: [UIUCU] c:\docume~1\john\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\john\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: shps.com\fsafeds
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1323705320703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{0D42377B-D1AF-4456-AD81-779572DA6620} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\ffz1c8p1.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-15 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-6 461864]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-6 89624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-18 116608]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-11-24 166024]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-6 148520]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-13 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-13 59288]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-11-28 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-15 135664]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-22 22216]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-6 87808]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
.
=============== Created Last 30 ================
.
2011-12-14 23:55:59 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{28853cf0-f232-4973-ad5a-e346ea893f49}\offreg.dll
2011-12-13 21:11:37 -------- d-----w- c:\documents and settings\john\application data\SUPERAntiSpyware.com
2011-12-13 18:19:37 -------- d-----w- c:\program files\CCleaner
2011-12-13 16:37:33 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{28853cf0-f232-4973-ad5a-e346ea893f49}\mpengine.dll
2011-12-13 03:47:11 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-13 03:47:08 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-13 03:47:06 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-12-13 03:47:02 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-12-13 03:45:51 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2011-12-13 03:44:59 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2011-12-13 03:43:57 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2011-12-13 03:42:57 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2011-12-13 03:41:55 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2011-12-13 03:40:57 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll
2011-12-13 03:39:58 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2011-12-13 03:39:57 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2011-12-13 03:39:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2011-12-13 03:39:25 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2011-12-13 03:39:18 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2011-12-13 03:39:14 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2011-12-13 03:39:11 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2011-12-13 03:39:07 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2011-12-13 03:39:04 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2011-12-13 03:39:03 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2011-12-13 03:39:02 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2011-12-13 03:37:49 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2011-12-13 03:37:46 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2011-12-13 03:37:42 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2011-12-13 03:37:39 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2011-12-13 03:37:35 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2011-12-13 03:37:30 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-12-13 03:37:27 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2011-12-13 03:37:19 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-12-13 03:37:18 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-12-13 03:37:14 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-12-13 03:37:01 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2011-12-13 03:35:57 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll
2011-12-13 03:35:53 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2011-12-13 03:35:52 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2011-12-13 03:35:49 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2011-12-13 03:35:46 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2011-12-13 03:35:43 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-12-13 03:35:38 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2011-12-13 03:35:35 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2011-12-13 03:35:32 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2011-12-13 03:35:28 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2011-12-13 03:35:24 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2011-12-13 03:35:04 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2011-12-13 03:35:00 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2011-12-13 03:33:58 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-12-13 03:32:58 29769 -c--a-w- c:\windows\system32\dllcache\pcntn5m.sys
2011-12-12 17:27:53 -------- d-----w- c:\program files\nLite
2011-12-12 02:45:03 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-12-12 02:44:52 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-11 18:34:45 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-11 15:14:55 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
2011-12-11 15:14:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-11 15:14:52 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-10 17:56:59 -------- d-----w- c:\documents and settings\john\application data\McAFee TechCheck
2011-12-10 17:51:18 244416 ----a-w- c:\windows\system32\Msflxgrd.ocx
2011-12-10 17:51:17 209192 ----a-w- c:\windows\system32\TABCTL32.OCX
2011-12-10 17:51:09 -------- d-----w- c:\documents and settings\john\application data\TechCheck
2011-12-06 14:14:01 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-06 14:13:59 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-06 14:13:59 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-06 14:13:59 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-06 02:34:33 14664 ----a-w- c:\windows\stinger.sys
2011-12-06 02:31:57 -------- d-----w- c:\program files\stinger
2011-12-04 20:20:24 2471264 ----a-w- c:\windows\system32\AutoPartNt.exe
2011-12-04 20:04:48 720896 ----a-w- c:\windows\system32\OLDA.tmp
2011-12-02 03:04:30 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2011-12-02 03:04:25 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2011-12-02 03:04:20 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2011-12-02 03:04:15 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2011-12-02 03:04:10 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2011-12-02 03:04:01 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-12-02 03:03:48 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2011-12-02 03:03:43 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2011-12-02 03:03:19 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2011-12-02 02:58:35 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2011-12-02 02:58:31 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2011-12-02 02:58:30 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2011-12-02 02:58:22 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-12-02 02:58:19 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-12-02 02:58:13 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-12-02 02:58:11 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-12-02 02:58:03 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2011-12-02 02:56:57 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2011-12-02 02:56:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2011-12-02 02:56:35 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2011-12-02 02:56:34 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-12-02 02:56:26 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-12-02 02:56:14 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-12-02 02:56:11 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-12-02 02:55:52 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-12-02 02:55:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-12-02 02:55:45 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2011-12-02 02:55:31 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-12-02 02:55:26 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2011-12-02 02:55:10 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2011-12-02 02:54:59 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-12-02 02:54:55 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2011-12-02 02:54:50 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2011-12-02 02:54:46 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2011-12-02 02:54:43 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2011-12-02 02:54:38 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2011-12-02 02:54:31 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2011-12-02 02:52:04 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2011-12-02 02:52:00 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2011-12-02 02:50:58 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2011-12-02 02:50:54 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2011-12-02 02:50:53 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2011-12-02 02:50:30 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-12-02 02:50:26 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-12-02 02:48:58 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2011-12-02 02:48:54 16000 -c--a-w- c:\windows\system32\dllcache\ini910u.sys
2011-12-02 02:48:15 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2011-12-02 02:48:10 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys
2011-12-02 02:48:06 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2011-12-02 02:48:02 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2011-12-02 02:46:50 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2011-12-02 02:46:46 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2011-12-02 02:46:42 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2011-12-02 02:46:39 44863 -c--a-w- c:\windows\system32\dllcache\hsf_soar.sys
2011-12-02 02:46:34 57471 -c--a-w- c:\windows\system32\dllcache\hsf_samp.sys
2011-12-02 02:46:30 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2011-12-02 02:46:27 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2011-12-02 02:46:23 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2011-12-02 02:46:19 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2011-12-02 02:46:15 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2011-12-02 02:46:11 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2011-12-02 02:46:07 67167 -c--a-w- c:\windows\system32\dllcache\hsf_bsc2.sys
2011-12-02 02:46:03 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2011-12-02 02:44:53 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2011-12-02 02:43:45 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-12-02 02:43:42 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2011-12-02 02:43:39 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys
2011-12-02 02:43:28 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2011-12-02 02:43:24 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys
2011-12-02 02:43:21 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys
2011-12-02 02:43:19 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys
2011-12-02 02:43:15 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll
2011-12-02 02:43:05 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2011-12-02 02:42:57 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2011-12-02 02:29:19 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2011-12-02 02:29:16 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-12-02 02:29:12 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2011-12-02 02:29:09 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2011-12-02 02:29:05 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2011-12-02 02:29:02 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2011-12-02 02:27:58 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2011-12-02 02:26:59 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-12-02 02:25:58 41046 -c--a-w- c:\windows\system32\dllcache\digiisdn.dll
2011-12-02 02:24:59 28672 -c--a-w- c:\windows\system32\dllcache\cyycoins.dll
2011-12-02 02:23:54 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2011-12-02 02:22:43 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-12-02 02:21:58 14208 -c--a-w- c:\windows\system32\dllcache\battc.sys
2011-12-02 02:20:59 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-12-02 02:20:58 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-12-02 02:20:57 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2011-12-02 02:20:55 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-02 02:20:53 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-02 02:20:52 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-02 02:20:51 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-02 02:20:49 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-02 02:20:48 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-02 02:20:48 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-02 01:44:48 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-11-28 04:42:17 -------- d--h--w- C:\$AVG
2011-11-28 02:18:51 -------- d-----w- c:\documents and settings\john\application data\AVG2012
2011-11-28 02:17:21 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-11-28 02:16:56 -------- d-----w- c:\program files\AVG
2011-11-28 01:54:59 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-28 01:52:47 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-25 11:38:50 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-11-25 11:38:50 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-11-25 11:38:49 100880 ----a-w- c:\windows\system32\Packet.dll
2011-11-25 04:36:01 28504 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2011-11-25 04:20:25 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-25 04:20:00 -------- d-----w- c:\program files\common files\McAfee
2011-11-24 01:33:42 -------- d-----w- c:\documents and settings\john\application data\McAfee
2011-11-24 01:31:30 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2011-11-23 01:33:00 -------- d--h--w- c:\windows\PIF
2011-11-23 01:00:03 -------- d-----w- c:\documents and settings\john\application data\Malwarebytes
2011-11-23 00:59:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-23 00:59:48 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 00:59:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-22 12:21:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
==================== Find3M ====================
.
2011-12-06 15:20:05 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-06 15:20:05 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
2011-12-06 15:20:05 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-06 15:20:05 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-11-13 23:11:16 422210 ----a-w- c:\windows\fonts\wpfonts.exe
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 20:47:07.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 AM

Posted 21 December 2011 - 11:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432522 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 December 2011 - 06:18 PM

Thanks for the reply. I still need help. I think I indicated the problem in my original post. The computer seems to be running OK but previously each time I ran a scan it would find something new. I have not run any additional antivirus scans since my first post as instructed.

I have just now rerun DDS.scr and DDS.pif (perhaps that is redundant?) and GMER. I ran the dds.pif both with the AV running and disconnected from the internet with the AV off. I hope that I am providing what you requested?

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 22 December 2011 - 06:29 AM

Hi,

it is enough to run one of the dds-tools, they all do the same.

please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 December 2011 - 11:57 AM

Hi myrti,
Thanks.
I ran combofix. It took about an hour and a half. Early on it noted: you are infected with Rootkit.Attached File  ComboFix.txt   26.48KB   4 downloadsZeroAccess! It has inserted itself into the tcp/ip stack... Combofix was able to run and I am connected to the internet. Here is the log. Please advise...and thanks again.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 22 December 2011 - 02:54 PM

Hi,

this is looking good. How is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 December 2011 - 03:55 PM

PC seems to be running fine, but it was running OK before I ran Combofix. I suspected there was something like this lurking when every AV scan seemed to pick up something new. But you are the expert, not I.
1)How can I be sure it's clean?
2) I had an external drive (with my Acronis backups and the files of my old hard drive that crashed) attached when the PC started acting up. I disconnected it except when I restored the windows files early on. Is there some way to scan the external drive to be sure this thing is not lurking in some of the old windows files in the external drive?
Thanks.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 22 December 2011 - 04:18 PM

Hi,

you could run a scan again with McAfee and see if it picks anything up from the files that were previously detected. Reoccurring files are a sign of infection.

Please also run a new scan with gmer. It was showing the active infection before.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 22 December 2011 - 10:33 PM

Hi myrti,
I ran McAfee and spybot scan and found nothing. The GMER you requested is attached. How does it look?
Combofix seemed to be the only program to find the rootkit. Can I re-run it? (I don’t want to do that without your guidance).
I really appreciate all your help.
Thanks.

Attached Files



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 23 December 2011 - 08:17 AM

Hi,

gmer saw the infection too. This is from your first log:

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57681$\3316028138 0 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892 0 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\bckfg.tmp 803 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\cfg.ini 207 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\keywords 533 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\L\nxeoqhuh 64512 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB57681$\4241300892\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

You can check for yourself that these lines are no longer present in the latest gmer log. The infection has been removed. If you need to rerun ComboFix to convince yourself, you can do that. But it is not necessary.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 December 2011 - 02:58 PM

Hi myrti,

Thanks!

I also ran adaware and malawarebyte scan and found nothing. I reran combofix, which ran quickly this time. I am attaching the log (I don't really know how to interpret it), but I don’t think it found anything either, just as you predicted. You are AWESOME! Thanks for pointing out where GMER showed the removed files.

I have a few questions I hope you can answer. These relate to whether the rootkit could have integrated into other files in my partitions and external drive.

1) Combofix ran only on my c: partition (as per instructions). I have an E and F partition that has data, a copy of all the files from an old harddrive including operating system files, etc. Can I run combofix on those also?

2) Before I found the infection I had an external drive attached with my acronis backups. The external drive backukps have operating system files. I used one of those backups to copy some of the windows files which seemed to help early on, but as you know, that did not get the rootkit out. Can I run combofix on that?

3) During the infection time, I wanted to run sfc /scannow. To do that I made a slipstream disc (combining XP sp2 and sp3)using nLite on the infected computer. (I have the Dell issued CD with windows xp home sp2, but the computer is running sp3.) It seemed to work to repair some files. But now I am concerned whether or not the disc could harbor the rootkit. Should I trash that disc?

Thanks again for all the help. I believe you slayed the dragon...but I don't want to let it get it's nose under the tent.

Spike2011

Attached Files



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 24 December 2011 - 06:53 AM

Hi,

Combofix ran only on my c: partition (as per instructions). I have an E and F partition that has data, a copy of all the files from an old harddrive including operating system files, etc. Can I run combofix on those also?

Even though ComboFix ran from C:\ it checked all partitions and also all connected flash drives and hard drives. There is however a difference between combofix and a anti virus scanner, because ComboFix only looks for specific, active infections. Any file that you could find on your backups or other hard drives belonging to the infection we disabled are very likely inactive and wouldn't be seen by ComboFix. However infections specifically targeting and abusing the autorun feature on your flash drives are removed by ComboFix.

Before I found the infection I had an external drive attached with my acronis backups. The external drive backukps have operating system files. I used one of those backups to copy some of the windows files which seemed to help early on, but as you know, that did not get the rootkit out. Can I run combofix on that?

No, that wouldn't work, due to the issues above. I would discard the images you made while you were infected. ZeroAccess is quite the powerful infection and it has several loading points. If you only fix one of them, then the other loading point is able to restore the infection completely. You may have replaced the right files, but just not all of them.

During the infection time, I wanted to run sfc /scannow. To do that I made a slipstream disc (combining XP sp2 and sp3)using nLite on the infected computer. (I have the Dell issued CD with windows xp home sp2, but the computer is running sp3.) It seemed to work to repair some files. But now I am concerned whether or not the disc could harbor the rootkit. Should I trash that disc?

I doubt it, but I can't guarantee it. I probably would trash the disc, just to be safe.

Thanks again for all the help. I believe you slayed the dragon...but I don't want to let it get it's nose under the tent.

Please run a scan wiht Eset as well to see if there are any leftovers of the dragon around:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 24 December 2011 - 10:58 PM

Hi myrti,
Thanks for the detailed response. I ran ESET as you wisely suggested and it found several additional threats. Are they significant?Is the dragon still breathing? Please advise.
(Best wishes for a happy holiday season)
Spike2011

Attached Files



#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:38 AM

Posted 25 December 2011 - 09:01 AM

Hi,

no, the dragon isn't breathing, but we can now see how he entered your PC:
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\44f2359a-1b456afc multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\41\4ae491e9-4e239172 multiple threats deleted - quarantined[/quote]
He likely used an outdated java install to get in. We'll address that next
[quote]E:\My Stuff\Downloads\Setup_FreeFlvConverter.exe multiple threats deleted - quarantined
F:\bad dell hardrive content\Doc and Settings if can\John\John's Documents\Files from Old Zip Disks\Backup-7-16-01\Temp\address.exe a variant of Win32/Adware.Gator.Trickler.J application deleted - quarantined
F:\Programs I installed\U tube Downloader\YouTubeDownloaderSetup263.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
[/quote]
This is adware/bloatware, programs that install toolbars or other not necessarily wanted programs if you don't uncheck them.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u1-windows-i586-s.exe (or jre-7u1-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
Your Adobe Reader is now up to date!

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 Spike2011

Spike2011
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 27 December 2011 - 02:38 PM

Hi myrti,

Thanks for the good news-nice to hear you still think the dragon is not breathing. And thanks for the explanation about entry through Java. Prior to your help I came across some information about JAVA vulnerability and I did update the version of Java I had installed and then tried to clear the cache. I did not find the Java website much help in that the recommendation on their website was to “use an anti-virus program to delete the applet, or you can clean the cache directory manually”. Several antivirus programs did not find the rootkit and I was did not know what to delete manually. Your explanation is clear. I removed the old Java programs and reinstalled jre-7u2-windows-i586. I don’t have adobe reader installed, rather I have acrobat pro 9, which I updated with the latest update.

I did not realize that I could remove the previous Java programs (I assumed the updates would correct prior vulnerability). Is there a way to learn how to keep up with current good maintenance practices?

I previously asked about my external harddrive which I disconnected when I suspected an infection. You replied that combofix would find the infection if it was targeting/abusing the autorun on an attached drive. Since that drive (G) was not connected when I ran combfix earlier, I downloaded the updated combfix and ran that with the external drive connected. While it did not report finding a threat, I am not qualified to interpret it, so I have attached it and hope you would confirm for me that it is clean.

Are there other measures that I can address?

This has really been an incredible experience. Thanks!

Spike2011

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users