Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess, no internet, nothing seems to work


  • This topic is locked This topic is locked
13 replies to this topic

#1 ohdearme

ohdearme

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 20 December 2011 - 09:47 PM

Computer is running Windows XP. Last week, I caught the dreaded zeroaccess rootkit virus and have been unable to get to the internet ever since. After trying to get rid of it by using malwarebytes and failing, I tried combofix. A pop-up screen loaded asking that I turn off "digital patrol" but when I went to Windows Security Center, there was no way for me to turn it off. (I believe this was the virus' doing because I could do just that in any other non-infected computer.) Still, I ran combofix and it told me that I had the zeroaccess rootkit virus. I thought combofix had gotten rid of it but still no internet afterward. I came here and piggybacked information off of another thread and tried to fix the registry by downloading ipsec.exe but that did not work.

But what I did notice is that I know now have two network connection icons in my control panel as well as a new icon for Intel® Pro Set for Wire Connections. That is set for two connections, one the computer is currently using but is not working, Intel® Pro/100 VE Network Connection and one that the computer is not using but it is working and has an IP address, Intel® Pro/1000 CT Network Connection. I can't switch from one to another. And when I try to repair or create a bridge the connection a prompt pops up and says, "To create a network bridge, you must select at least two LAN or High speed Internet connections that are not being used by internet connections sharing."

I have no idea what to do. This is toughest virus I have ever faced. Nothing seems to knock it down. Please, I hope you can help me. Thank you for your time.

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 27 December 2011 - 02:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433670 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 31 December 2011 - 11:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Let see if we can get back your internet connection.

Download these tools from a good computer to a CD or Flash drive. Copy the files to the Desktop of the infected computer.
===

Run them as suggested below.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the logs and wait for further instructions.

#4 ohdearme

ohdearme
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 31 December 2011 - 05:21 PM

Thank you for your help. Here is the DDS result;

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Owner at 14:13:04 on 2011-12-31
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.231 [GMT -5:00]
.
AV: Digital Patrol *Enabled/Updated* {35237DD9-776F-4485-A7AF-729074E24B96}
AV: Norton AntiVirus 2005 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uCustomizeSearch =
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{53F16710-194A-4E02-9C9F-A04D705EB9D4} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{BD21AB67-1BE6-4DD6-88CD-5EF8756320B5} : DhcpNameServer = 209.18.47.61 209.18.47.62
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\z3va1cic.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
============= SERVICES / DRIVERS ===============
.
R?2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-11-26 955816]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-11-26 38504]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-11-26 892336]
S0 48629361;48629361;c:\windows\system32\drivers\59978923.sys --> c:\windows\system32\drivers\59978923.sys [?]
S0 52605157;52605157;c:\windows\system32\drivers\66005833.sys --> c:\windows\system32\drivers\66005833.sys [?]
S0 55110575;55110575;c:\windows\system32\drivers\66067401.sys --> c:\windows\system32\drivers\66067401.sys [?]
S0 91558000;91558000;c:\windows\system32\drivers\59521513.sys --> c:\windows\system32\drivers\59521513.sys [?]
S0 98387798;98387798;c:\windows\system32\drivers\59030613.sys --> c:\windows\system32\drivers\59030613.sys [?]
S0 muvoxg;muvoxg;c:\windows\system32\drivers\tlodb.sys --> c:\windows\system32\drivers\tlodb.sys [?]
S0 sgirv;sgirv;c:\windows\system32\drivers\hiqfnch.sys --> c:\windows\system32\drivers\hiqfnch.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SAVRT;SAVRT;\??\c:\program files\norton antivirus\savrt.sys --> c:\program files\norton antivirus\SAVRT.SYS [?]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton antivirus\savrtpel.sys --> c:\program files\norton antivirus\SAVRTPEL.SYS [?]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-11-26 130976]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4a.tmp --> c:\windows\system32\4A.tmp [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20060406.006\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060406.006\NAVENG.Sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20060406.006\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060406.006\NavEx15.Sys [?]
S3 TrueSight;TrueSight;\??\c:\windows\system32\drivers\truesight.sys --> c:\windows\system32\drivers\TrueSight.sys [?]
.
=============== Created Last 30 ================
.
2011-12-30 20:55:02 64896 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-12-30 20:55:02 64896 ----a-w- c:\windows\system32\drivers\Serial.sys
2011-12-30 20:54:57 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-30 20:54:57 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-30 20:17:31 87608 ----a-w- c:\documents and settings\owner\application data\inst.exe
2011-12-18 04:52:14 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-12-18 04:52:14 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-15 01:59:52 -------- d-----w- c:\program files\FREEWI~1
2011-12-13 05:46:36 -------- d-----w- c:\documents and settings\owner\pss
2011-12-12 07:31:42 -------- d-----w- C:\88d7a40b7e36b23dd7
2011-12-12 07:20:30 -------- d-----w- c:\documents and settings\all users\application data\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-12 07:10:08 57472 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-12-12 07:10:08 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-02 13:40:52 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-02 13:40:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-02 13:40:51 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-02 13:40:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-02 13:40:50 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-02 13:40:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-02 13:40:49 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-02 13:40:49 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
.
==================== Find3M ====================
.
2011-12-30 20:17:31 47360 ----a-w- c:\documents and settings\owner\application data\pcouffin.sys
2011-10-03 02:04:58 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
============= FINISH: 14:14:39.46 ===============

And here is the FSS result;

Farbar Service Scanner
Ran by Owner (administrator) on 31-12-2011 at 17:11:13
Microsoft Windows XP Home Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-26 11:11] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2011-12-30 15:54] - [2008-08-14 04:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-26 11:12] - [2004-08-04 14:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-26 11:12] - [2008-06-20 05:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-26 11:11] - [2004-08-04 14:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-26 11:11] - [2008-02-20 00:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-26 11:11] - [2004-08-04 14:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2004-08-26 11:12] - [2005-08-22 13:29] - 0197632 ____N (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2004-08-26 13:00] - [2004-08-04 14:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2004-08-26 13:01] - [2004-08-04 14:00] - 0170496 ____N (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2004-08-26 13:01] - [2004-08-04 14:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\svchost.exe
[2004-08-26 11:12] - [2004-08-04 14:00] - 0014336 ____N (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-26 11:12] - [2009-02-09 05:20] - 0399360 ____N (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2004-08-26 11:12] - [2009-02-06 12:14] - 0110592 ____N (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE


Extra List:
=======
Gpc(6) IPSec(5) irda(10) NetBT(6) PSched(7) SYMTDI(9) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
Attention! IpSec Tag value should be 4

**** End of log ****

Again, thank you.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 01 January 2012 - 09:30 AM

Windows XP
Please download XP.zip file from here: http://www.smartestc...y-network-keys/
Unzip the file to your desktop.

These files will be extracted:
afd.reg
ipsec.reg
netbt.reg
Legacy_afd.reg
Legacy_ipsec.reg
Legacy_netbt.reg
wscsvc.reg
legacy_wscsvc.reg


Double-click each one of the 8 .reg files in turn and click Yes to add it to the Registry
Allow registry merge.
When the 8 file have been executed.
Restart computer and see if internet works.

If still no joy:

; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Ipsec]
"Tag"=dword:4


; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Delete the Fix.reg file when done.

How is it now?

#6 ohdearme

ohdearme
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 01 January 2012 - 03:31 PM

For some reason, the computer wouldn't allow me to merge Legacy_afd.reg, Legacy_ipsec.reg, Legacy_netbt.reg and Legacy_wscsvc.reg to the registry. However, I did the Plan B and, good news, that worked. I now have internet! Thank you.

The bad news is, the CPU output is going at 100% and the internet, while still functioning, is extremely slow.

Also, I have another problem. The virus has seemed to have hid many of my files from my "All programs" section as well as hid many of my drivers. (CD burner/driver is gone. And the computer can't find my printer/scanner.) I didn't realize this until a bubble has popped up now stating that there is "new hardware" found on my computer. However, the hardware has been declared "unknown."

The way I figured out how to get to the internet was to type in "firefox" in the Run box.

Do you have any advice there?

And thank you so much for getting me back on the internet. I have been tearing my hair out over this for weeks. No joke, weeks.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 01 January 2012 - 04:35 PM

I know this is a bad infection.
Run this tool post the log and let me know what problem persists.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#8 ohdearme

ohdearme
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 01 January 2012 - 06:59 PM

Try as I might, I can not disable "digital patrol" because I think it's part of the virus. (The button in Windows Security Center that allowed me to do so was disabled.) Should I still run Combofix? All over anti-virus programs are no trouble when it comes to turning off.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 02 January 2012 - 09:01 AM

Run ComboFix and over ride the message. See what we can get out of it.

#10 ohdearme

ohdearme
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 02 January 2012 - 04:22 PM

Okay, I ran it. And here are the results;

ComboFix 12-01-02.01 - Owner 01/02/2012 15:26:53.15.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.247 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: Digital Patrol *Enabled/Updated* {35237DD9-776F-4485-A7AF-729074E24B96}
AV: Norton AntiVirus 2005 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\proquota.exe . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 19:56 . 2012-01-02 19:56 646104 ----a-w- c:\program files\Mozilla Firefox\nss3.dll
2011-12-30 20:55 . 2004-08-04 19:00 64896 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-12-30 20:55 . 2004-08-04 19:00 64896 ----a-w- c:\windows\system32\drivers\Serial.sys
2011-12-30 20:54 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-30 20:54 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-18 04:52 . 2011-12-18 04:52 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-18 04:52 . 2011-12-18 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-15 01:59 . 2011-12-15 01:59 -------- d-----w- c:\program files\FREEWI~1
2011-12-13 05:46 . 2011-12-13 05:46 -------- d-----w- c:\documents and settings\Owner\pss
2011-12-12 07:31 . 2011-12-12 07:37 -------- d-----w- C:\88d7a40b7e36b23dd7
2011-12-12 07:20 . 2011-12-12 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-12 07:10 . 2004-08-04 03:59 57472 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-12-12 07:10 . 2004-08-04 03:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-30 20:17 . 2010-10-08 06:57 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2012-01-02 19:57 . 2012-01-02 19:57 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-31_03.52.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-26 13:17 . 2011-07-26 13:17 6824960 c:\windows\Installer\77f65dc.msp
+ 2011-11-03 18:31 . 2011-11-03 18:31 5525504 c:\windows\Installer\77f65d8.msp
+ 2011-10-30 04:10 . 2011-10-30 04:10 6824960 c:\windows\Installer\287b90c.msp
+ 2011-09-20 20:36 . 2011-09-20 20:36 5521408 c:\windows\Installer\287b908.msp
+ 2011-11-17 15:55 . 2011-11-17 15:55 5522944 c:\windows\Installer\287b904.msp
+ 2011-07-26 13:17 . 2011-07-26 13:17 6824960 c:\windows\Installer\2586dea.msp
+ 2011-11-03 18:31 . 2011-11-03 18:31 5525504 c:\windows\Installer\2586de6.msp
+ 2005-05-21 07:04 . 2012-01-02 08:07 52988224 c:\windows\system32\MRT.exe
+ 2011-07-26 21:33 . 2011-07-26 21:33 10984448 c:\windows\Installer\77f65e0.msp
+ 2011-07-26 21:33 . 2011-07-26 21:33 10984448 c:\windows\Installer\299ab02.msp
+ 2011-07-26 21:33 . 2011-07-26 21:33 10984448 c:\windows\Installer\2586dee.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-10-05 3025304]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0\0sdnclean.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
.
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [11/26/2011 10:32 AM 38504]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/26/2011 10:32 AM 892336]
S0 48629361;48629361;c:\windows\system32\drivers\59978923.sys --> c:\windows\system32\drivers\59978923.sys [?]
S0 52605157;52605157;c:\windows\system32\drivers\66005833.sys --> c:\windows\system32\drivers\66005833.sys [?]
S0 55110575;55110575;c:\windows\system32\drivers\66067401.sys --> c:\windows\system32\drivers\66067401.sys [?]
S0 91558000;91558000;c:\windows\system32\drivers\59521513.sys --> c:\windows\system32\drivers\59521513.sys [?]
S0 98387798;98387798;c:\windows\system32\drivers\59030613.sys --> c:\windows\system32\drivers\59030613.sys [?]
S0 muvoxg;muvoxg;c:\windows\system32\drivers\tlodb.sys --> c:\windows\system32\drivers\tlodb.sys [?]
S0 sgirv;sgirv;c:\windows\system32\drivers\hiqfnch.sys --> c:\windows\system32\drivers\hiqfnch.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [11/26/2011 10:32 AM 130976]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/26/2011 10:32 AM 955816]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4A.tmp --> c:\windows\system32\4A.tmp [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys --> c:\windows\system32\Drivers\pcouffin.sys [?]
S3 TrueSight;TrueSight;\??\c:\windows\system32\drivers\TrueSight.sys --> c:\windows\system32\drivers\TrueSight.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-02 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-26 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uCustomizeSearch =
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z3va1cic.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 15:52
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'lsass.exe'(560)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'explorer.exe'(4960)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\WSOCK32.dll
.
Completion time: 2012-01-02 16:01:30
ComboFix-quarantined-files.txt 2012-01-02 21:01
ComboFix2.txt 2012-01-02 19:29
ComboFix3.txt 2011-12-31 04:01
ComboFix4.txt 2011-12-21 02:14
ComboFix5.txt 2012-01-02 20:17
.
Pre-Run: 5,803,098,112 bytes free
Post-Run: 5,780,652,032 bytes free
.
- - End Of File - - F7F0C1F73C23E86465305762694F4B9F

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 03 January 2012 - 08:54 AM

c:\windows\system32\proquota.exe . . . is missing!!


Lets find out if you have a good copy on your computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    proquota.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Open notepad and copy/paste the text in the quote box below into it:

Driver::
48629361
52605157
55110575
91558000
98387798
muvoxg;muvoxg
sgirv
MEMSWEEP2
TrueSight

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=-

Firefox::

DirLook::



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#12 ohdearme

ohdearme
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 04 January 2012 - 12:29 PM

Sorry for the delay. Here are the reports;

Systemlook result;
SystemLook 30.07.11 by jpshortstuff
Log created at 09:58 on 04/01/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --a---- 50176 bytes [15:14 23/01/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-= EOF =-

Combofix result;
omboFix 12-01-02.01 - Owner 01/04/2012 11:13:13.16.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.256 [GMT -5:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.lnk
AV: Digital Patrol *Enabled/Updated* {35237DD9-776F-4485-A7AF-729074E24B96}
AV: Norton AntiVirus 2005 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\proquota.exe . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-02 19:56 . 2012-01-02 19:56 646104 ----a-w- c:\program files\Mozilla Firefox\nss3.dll
2011-12-30 20:55 . 2004-08-04 19:00 64896 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-12-30 20:55 . 2004-08-04 19:00 64896 ----a-w- c:\windows\system32\drivers\Serial.sys
2011-12-30 20:54 . 2008-08-14 09:51 138368 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-30 20:54 . 2008-08-14 09:51 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-18 04:52 . 2011-12-18 04:52 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-18 04:52 . 2011-12-18 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-15 01:59 . 2011-12-15 01:59 -------- d-----w- c:\program files\FREEWI~1
2011-12-13 05:46 . 2011-12-13 05:46 -------- d-----w- c:\documents and settings\Owner\pss
2011-12-12 07:31 . 2011-12-12 07:37 -------- d-----w- C:\88d7a40b7e36b23dd7
2011-12-12 07:20 . 2011-12-12 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{A0559A84-0A11-425F-BFFC-532378694B25}
2011-12-12 07:10 . 2004-08-04 03:59 57472 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-12-12 07:10 . 2004-08-04 03:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-30 20:17 . 2010-10-08 06:57 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2012-01-02 19:57 . 2012-01-02 19:57 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2011-10-05 3025304]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0\0sdnclean.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
.
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [11/26/2011 10:32 AM 38504]
S0 48629361;48629361;c:\windows\system32\drivers\59978923.sys --> c:\windows\system32\drivers\59978923.sys [?]
S0 52605157;52605157;c:\windows\system32\drivers\66005833.sys --> c:\windows\system32\drivers\66005833.sys [?]
S0 55110575;55110575;c:\windows\system32\drivers\66067401.sys --> c:\windows\system32\drivers\66067401.sys [?]
S0 91558000;91558000;c:\windows\system32\drivers\59521513.sys --> c:\windows\system32\drivers\59521513.sys [?]
S0 98387798;98387798;c:\windows\system32\drivers\59030613.sys --> c:\windows\system32\drivers\59030613.sys [?]
S0 muvoxg;muvoxg;c:\windows\system32\drivers\tlodb.sys --> c:\windows\system32\drivers\tlodb.sys [?]
S0 sgirv;sgirv;c:\windows\system32\drivers\hiqfnch.sys --> c:\windows\system32\drivers\hiqfnch.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [11/26/2011 10:32 AM 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/26/2011 10:32 AM 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/26/2011 10:32 AM 955816]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4A.tmp --> c:\windows\system32\4A.tmp [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys --> c:\windows\system32\Drivers\pcouffin.sys [?]
S3 TrueSight;TrueSight;\??\c:\windows\system32\drivers\TrueSight.sys --> c:\windows\system32\drivers\TrueSight.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-02 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-26 20:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uCustomizeSearch =
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z3va1cic.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-04 11:29
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'lsass.exe'(560)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
.
- - - - - - - > 'explorer.exe'(332)
c:\program files\Spybot - Search & Destroy 2\SDHook32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\WSOCK32.dll
.
Completion time: 2012-01-04 11:35:07
ComboFix-quarantined-files.txt 2012-01-04 16:35
ComboFix2.txt 2012-01-02 21:01
ComboFix3.txt 2012-01-02 19:29
ComboFix4.txt 2011-12-31 04:01
ComboFix5.txt 2012-01-04 15:58
.
Pre-Run: 5,985,435,648 bytes free
Post-Run: 5,966,794,752 bytes free
.
- - End Of File - - 3C4028DBF37C0DB4EED7CFA8021633AD

And Security Check result;

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy 2
Adobe Flash Player 10.1.102.64 Flash Player out of Date!
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Spybot Teatimer.exe is disabled!
``````````End of Log````````````

Again, thank you so much for your help.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 04 January 2012 - 03:28 PM

The script failed because you added a .lnk extension to the file I asked you to create.
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.lnk

Look at the image the CFScript it ends with .txt
Remove the CFScript.lnk file.

Repeat with this text.

Open notepad and copy/paste the text in the quote box below into it:

Driver::
48629361
52605157
55110575
91558000
98387798
muvoxg
sgirv
MEMSWEEP2
TrueSight

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=-

FCOPY::
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | c:\windows\system32\proquota.exe


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===


Important security issue
Support for Windows XP Service Pack 2 ended 13/07/2010
http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173

For continued support get the Service Pack 3.
http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3

You may not be using Internet Explorer but IE6 is an also an important security issue.
I suggest you update to IE7 and when all is well get IE8.
===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Adobe Flash Player 11.0.1.152

Flash Player 11.0.1.152

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Please post the ComboFix log.

Let me know what problem persists.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:03 PM

Posted 10 January 2012 - 11:57 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users