Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regrowing "XP Antispyware 2012” and “Security Sphere 2012”


  • This topic is locked This topic is locked
19 replies to this topic

#1 LMoseley

LMoseley

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 22 December 2011 - 11:00 AM

This request was originally posted as
http://www.bleepingcomputer.com/forums/topic432929.html

Original situation:

About two weeks ago, one of the computers I deal with was sick with one of the fake Antivirus scamware infections. I fixed it, I thought, using the manual removal instructions from this site: FixNCR.reg, rkill.exe, MalWareBytes. It worked fine until this morning, when it displayed “XP Antispyware 2012” and “Security Sphere 2012”
These were removed manually, using the instructions on this site...
After this, the computer running normally without malware symptoms. But, because the malware regrew last time (or was reinfected despite running AV), I would appreciate it if someone could take a look at it with me.


One thing I have noticed is that the HOSTS file is locked or blocked against editing. SPYBOT SEARCH & DESTROY usually keeps many sites blocked in HOSTS, but all of these are missing and SPYBOT reports that it is unable to re-IMMUNIZE. Also, HOSTS cannot be manually edited.

These new logs were requested by the Advisor, Broni:

DEFOGGER
DDS
MALWAREBYTES
GMER

=======================

DEFOGGER LOG (Reboot NOT requested)

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:19 on 22/12/2011 (Staff)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


=======================


DDS LOG

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Staff at 10:39:36 on 2011-12-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1448 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\RealVNC\VNC4\vncclipboard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EpicPlay Games: {56e4076b-a42b-4745-ba35-34da8ac4c2f2} - c:\program files\epicplay\epicPlayGames.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [PC Meter Connect] c:\program files\pitney bowes\pc meter connect\mailstationAssistant.exe minimize
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [jB28300DmOgD28300] c:\documents and settings\all users\application data\jb28300dmogd28300\jB28300DmOgD28300.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\once-a-day ii\PTOAD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartc~1.lnk - c:\windows\seiko\slpcap.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: wow-coupons.com\www
TCP: Interfaces\{5845778E-3C09-4A46-B100-6558F833FCD1} : NameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-20 366152]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-9 693512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-20 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2011-4-1 20600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-14 50704]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-9 906504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-22 14:03:36 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b09f405d-904d-466f-a189-afbf66379b2a}\offreg.dll
2011-12-21 14:52:11 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b09f405d-904d-466f-a189-afbf66379b2a}\mpengine.dll
2011-12-20 16:06:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:06:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 18:18:05 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-15 20:53:36 -------- d-----w- c:\documents and settings\staff\local settings\application data\Temp
2011-12-15 17:39:48 -------- d-----w- c:\documents and settings\staff\local settings\application data\Solid State Networks
2011-12-15 17:37:29 -------- d-----w- c:\windows\system32\Adobe
2011-12-15 17:18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 17:09:33 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-14 14:30:44 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-14 14:30:44 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-14 14:29:42 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-14 14:29:42 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-14 14:29:42 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-07 15:59:38 -------- d-sh--w- c:\documents and settings\staff\IECompatCache
2011-12-02 16:31:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-12-14 16:12:25 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 10:40:10.56 ===============

=======================

MALWAREBYTES ANTI-MALWARE LOG


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8403

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/20/2011 11:38:42 AM
mbam-log-2011-12-20 (11-38-41).txt

Scan type: Quick scan
Objects scanned: 209526
Time elapsed: 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=======================

GMER LOG

NOTE: GMER took almost 6 hours to run, but eventually did finish


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 18:22:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST380013 rev.8.12
Running: 1705y8xn.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\kfldrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9189F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3224] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[836] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB46437$\3787317931 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\L 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\L\odetmngk 64512 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

Thanks for any help!

Attached Files


Edited by LMoseley, 22 December 2011 - 12:17 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 28 December 2011 - 11:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433942 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 28 December 2011 - 08:39 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 29 December 2011 - 12:31 AM

Thanks for your reply, CatByte.

I assume that you still want the logs requested by the 'Bot, so I am posting them here, then I'll deal with ComboFix.

For whatever reason, GMER takes between 7 and 8 hours to run on this machine. Today, I started it at 5:00 PM and it finished at about midnight.

================

DDS LOG (NEW RUN 12/28)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Staff at 12:49:34 on 2011-12-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1354 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Sage Software\Peachtree\peachw.exe
C:\Program Files\Sage Software\Peachtree\W32MKDE.EXE
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\vncclipboard.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EpicPlay Games: {56e4076b-a42b-4745-ba35-34da8ac4c2f2} - c:\program files\epicplay\epicPlayGames.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [PC Meter Connect] c:\program files\pitney bowes\pc meter connect\mailstationAssistant.exe minimize
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [jB28300DmOgD28300] c:\documents and settings\all users\application data\jb28300dmogd28300\jB28300DmOgD28300.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\once-a-day ii\PTOAD.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartc~1.lnk - c:\windows\seiko\slpcap.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: wow-coupons.com\www
TCP: Interfaces\{5845778E-3C09-4A46-B100-6558F833FCD1} : NameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-20 366152]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-9 693512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-20 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2011-4-1 20600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-14 50704]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-9 906504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-27 20:41:25 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e86bb067-c34c-48f6-8ae5-6469771fcc7c}\offreg.dll
2011-12-27 20:41:17 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e86bb067-c34c-48f6-8ae5-6469771fcc7c}\mpengine.dll
2011-12-20 16:06:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:06:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 18:18:05 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-15 20:53:36 -------- d-----w- c:\documents and settings\staff\local settings\application data\Temp
2011-12-15 17:39:48 -------- d-----w- c:\documents and settings\staff\local settings\application data\Solid State Networks
2011-12-15 17:37:29 -------- d-----w- c:\windows\system32\Adobe
2011-12-15 17:18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 17:09:33 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-14 14:30:44 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-14 14:30:44 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-14 14:29:42 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-14 14:29:42 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-14 14:29:42 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-07 15:59:38 -------- d-sh--w- c:\documents and settings\staff\IECompatCache
2011-12-02 16:31:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-12-14 16:12:25 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 12:50:58.18 ===============


================


GMER LOG (NEW RUN 12/28)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 00:18:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST380013 rev.8.12
Running: ew4fruu6.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\kfldrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB90F5F80]
? C:\WINDOWS\TEMP\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9F7D3D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB46437$\3787317931 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\L 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\L\odetmngk 64512 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U 0 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB46437$\3953352390\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

Look for the Conbofix log in a few minutes

#5 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 29 December 2011 - 09:47 AM

Combofix log 12-29-2011

Combofix reported finding rootkit, rebooted, did a multi-stage file scan, rebooted, ran again.

Combofix noted the existence of RealVNC. This was intentionally installed, and I use RealVNC to do remote maintenance on this computer,





ComboFix 11-12-29.04 - Staff 12/29/2011 9:10.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1600 [GMT -5:00]
Running from: c:\documents and settings\Staff\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Staff\Application Data\3M
c:\documents and settings\Staff\Application Data\3M\PSNotes\PSNData
c:\documents and settings\Staff\Application Data\3M\PSNotes\PSNData.bak
c:\documents and settings\Staff\Application Data\3M\PSNotes\PSNMsgAddr
c:\documents and settings\Staff\System
c:\documents and settings\Staff\System\win_qs8.jqx
c:\documents and settings\Staff\WINDOWS
c:\program files\LP
c:\program files\LP\A6F0\1.tmp
c:\program files\LP\A6F0\23.tmp
c:\program files\LP\A6F0\3C.tmp
c:\program files\LP\A6F0\3D.tmp
c:\program files\LP\A6F0\6.tmp
c:\program files\LP\A6F0\AA.tmp
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\0x0409.ini
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\1033.MST
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\BACS.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\SET91.tmp
c:\windows\system32\SET93.tmp
c:\windows\system32\SET9F.tmp
c:\windows\system32\SETA1.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAD.tmp
c:\windows\system32\wpcap.dll
d:\linda's documents\~WRL0690.tmp
d:\linda's documents\~WRL3585.tmp
d:\linda's documents\ewc-reports.doc
D:\WiNlOgOn.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 14:35 . 2011-12-29 14:35 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E86BB067-C34C-48F6-8AE5-6469771FCC7C}\offreg.dll
2011-12-27 20:41 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E86BB067-C34C-48F6-8AE5-6469771FCC7C}\mpengine.dll
2011-12-20 16:06 . 2011-12-20 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-20 16:06 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 18:18 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-15 20:53 . 2011-12-15 20:53 -------- d-----w- c:\documents and settings\Staff\Local Settings\Application Data\Temp
2011-12-15 17:39 . 2011-12-15 17:39 -------- d-----w- c:\documents and settings\Staff\Local Settings\Application Data\Solid State Networks
2011-12-15 17:37 . 2011-12-15 17:37 -------- d-----w- c:\windows\system32\Adobe
2011-12-15 17:18 . 2011-11-15 19:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 17:09 . 2011-12-15 17:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 16:31 . 2011-12-15 16:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-14 14:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-14 14:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-07 15:59 . 2011-12-07 15:59 -------- d-sh--w- c:\documents and settings\Staff\IECompatCache
2011-12-02 16:31 . 2011-12-02 16:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 16:12 . 2004-08-04 10:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 10:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 1980-01-01 05:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 1980-01-01 05:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-04 10:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2011-09-21 16:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2009-03-31 05:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-09-30 17:27 194848 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-10-23 573440]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2010-10-20 3514368]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Karen's Once-A-Day II.lnk - c:\program files\Karen's Power Tools\Once-A-Day II\PTOAD.exe [N/A]
Microsoft Office 2000.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SmartCapture.lnk - c:\windows\Seiko\slpcap.exe [2006-1-11 49152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Premier\\dbeng9.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:RealVNC1
"5900:UDP"= 5900:UDP:RealVNC2
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/20/2011 11:06 AM 366152]
R2 PD91Agent;PD91Agent;c:\program files\RAXCO\PerfectDisk2008\PD91Agent.exe [9/9/2008 12:49 PM 693512]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/20/2011 11:06 AM 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\SYSTEM32\DRIVERS\DM150Drv.sys [4/1/2011 11:39 AM 20600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
S3 PD91Engine;PD91Engine;c:\program files\RAXCO\PerfectDisk2008\PD91Engine.exe [9/9/2008 12:49 PM 906504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\Backup-MyDocs-To-MediaVault.job
- c:\batch\Backup-MyDocs-To-MediaVault.bat [2009-02-04 18:44]
.
2011-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-12-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-01-07 19:31]
.
2011-12-22 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-04-22 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: wow-coupons.com\www
TCP: Interfaces\{5845778E-3C09-4A46-B100-6558F833FCD1}: NameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
HKU-Default-Run-jB28300DmOgD28300 - c:\documents and settings\All Users\Application Data\jB28300DmOgD28300\jB28300DmOgD28300.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe
Notify-NavLogon - (no file)
SafeBoot-57033004.sys
AddRemove-EpicPlay - c:\program files\EpicPlay\epicRemoval.exe
AddRemove-FinalMediaPlayer_is1 - c:\program files\FinalMediaPlayer\unins000.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_DC5D2AFB0F84E8D8.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 09:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,9 7,eb,01,00,00,00,3e,c9,47,39,a0,e9,45,45,b9,98,5b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3e,c9,47,39,a0,e9,45,45,b9,98,5b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\brss01a.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Microsoft Office\Office\1033\msoffice.exe
.
**************************************************************************
.
Completion time: 2011-12-29 09:40:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 14:40
.
Pre-Run: 3,077,844,992 bytes free
Post-Run: 3,605,860,352 bytes free
.
- - End Of File - - F4C8B4C69D359CCD6E7C5BA63457C33C

Edited by LMoseley, 29 December 2011 - 10:01 AM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 29 December 2011 - 11:56 AM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 29 December 2011 - 07:40 PM

I am unable to run MBAM. It download OK, installs OK, runs OK, updates OK, but when I do a Quick Scan, it throws a Windows BSOD at a random point into the scan. Once on item 4494, on another scan on item 16003, and again at another random point. I uninstalled MBAM and reinstalled MBAM, same result, BSOD partway into the scan.

I was able to do a Quick ScCan with Microsoft Security Essentials (which I had disabled during the MBAM runs), and it reported no threats.

ESET, on the other hand, ran just fine and found a bunch of stuff:

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\3fdbd04c-7113a925 a variant of Java/Exploit.Blacole.AF trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-756f5c1f Java/Exploit.CVE-2011-3544.F trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\593ae75a-1a0b6da2 Java/Agent.DY trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\29\3479415d-3a111399 a variant of Java/Exploit.Blacole.AF trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\52\128aa334-7a15d6d9 Java/Exploit.CVE-2011-3544.F trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\524a37-1cdeaaed Java/TrojanDownloader.OpenStream.NCO trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-18716ab4 Java/Agent.DY trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\70fe0c07-6808a503 a variant of Java/Exploit.Blacole.AF trojan
C:\Documents and Settings\Staff\Desktop\Security Programs\Special\SmitfraudFix.exe multiple threats
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0016929.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0016933.dll a variant of Win32/Adware.Yontoo.B application
D:\SmitfraudFix.exe multiple threats
Operating memory a variant of Win32/Adware.Yontoo.A application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 29 December 2011 - 08:06 PM

Hi,

yes there have been some reported issues with the latest MBAM update - this will clear it:

Use mbam-clean, then download and reinstall the program.

Malwarebytes' Anti-Malware


NEXT


Please run the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\3fdbd04c-7113a925 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-756f5c1f 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\593ae75a-1a0b6da2 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\29\3479415d-3a111399 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\52\128aa334-7a15d6d9 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\524a37-1cdeaaed 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-18716ab4 
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\70fe0c07-6808a503 
C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 30 December 2011 - 10:42 AM

OK, I used mbam-clean, then reinstalled MBAM, but it still does BSOD at a random point in the scan.

I ran ComboFix with the script you provided. ComboFix reported rootkit activity, and rebooted, then ran to completion.

COMBOFIX LOG 12/30/2011 10:30 AM:

==================


ComboFix 11-12-29.05 - Staff 12/30/2011 10:13:32.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1605 [GMT -5:00]
Running from: c:\documents and settings\Staff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Staff\Desktop\CFScript
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\3fdbd04c-7113a925"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-756f5c1f"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\26\593ae75a-1a0b6da2"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\29\3479415d-3a111399"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\52\128aa334-7a15d6d9"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\55\524a37-1cdeaaed"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-18716ab4"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\70fe0c07-6808a503"
"c:\program files\Yontoo Layers Runtime\YontooIEClient.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 15:12 . 2011-12-30 15:12 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56E919AA-7B8D-4FCA-8262-0DB45C23B298}\offreg.dll
2011-12-30 14:40 . 2011-12-30 14:42 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-30 14:40 . 2011-12-30 14:40 -------- d-----w- c:\documents and settings\Staff\Application Data\Malwarebytes
2011-12-30 14:40 . 2011-12-30 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-30 14:40 . 2011-12-30 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-30 14:40 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 22:13 . 2011-12-29 22:13 -------- d-----w- c:\program files\ESET
2011-12-29 18:07 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56E919AA-7B8D-4FCA-8262-0DB45C23B298}\mpengine.dll
2011-12-16 18:18 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-15 20:53 . 2011-12-15 20:53 -------- d-----w- c:\documents and settings\Staff\Local Settings\Application Data\Temp
2011-12-15 17:39 . 2011-12-15 17:39 -------- d-----w- c:\documents and settings\Staff\Local Settings\Application Data\Solid State Networks
2011-12-15 17:37 . 2011-12-15 17:37 -------- d-----w- c:\windows\system32\Adobe
2011-12-15 17:18 . 2011-11-15 19:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 17:09 . 2011-12-15 17:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-15 16:31 . 2011-12-15 16:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-14 14:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-14 14:30 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-07 15:59 . 2011-12-07 15:59 -------- d-sh--w- c:\documents and settings\Staff\IECompatCache
2011-12-02 16:31 . 2011-12-02 16:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 16:12 . 2004-08-04 10:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 10:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 1980-01-01 05:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 1980-01-01 05:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-04 10:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2011-09-21 16:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2009-03-31 05:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-10-23 573440]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2010-10-20 3514368]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Karen's Once-A-Day II.lnk - c:\program files\Karen's Power Tools\Once-A-Day II\PTOAD.exe [N/A]
Microsoft Office 2000.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SmartCapture.lnk - c:\windows\Seiko\slpcap.exe [2006-1-11 49152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Premier\\dbeng9.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:RealVNC1
"5900:UDP"= 5900:UDP:RealVNC2
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PD91Agent;PD91Agent;c:\program files\RAXCO\PerfectDisk2008\PD91Agent.exe [9/9/2008 12:49 PM 693512]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 DM150Drv;DM150Drv;c:\windows\SYSTEM32\DRIVERS\DM150Drv.sys [4/1/2011 11:39 AM 20600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/30/2011 9:40 AM 40776]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 5:00 AM 14336]
S3 PD91Engine;PD91Engine;c:\program files\RAXCO\PerfectDisk2008\PD91Engine.exe [9/9/2008 12:49 PM 906504]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\Backup-MyDocs-To-MediaVault.job
- c:\batch\Backup-MyDocs-To-MediaVault.bat [2009-02-04 18:44]
.
2011-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-12-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-01-07 19:31]
.
2011-12-22 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-04-22 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: wow-coupons.com\www
TCP: Interfaces\{5845778E-3C09-4A46-B100-6558F833FCD1}: NameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 10:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3e,c9,47,39,a0,e9,45,45,b9,98,5b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3e,c9,47,39,a0,e9,45,45,b9,98,5b,\
.
Completion time: 2011-12-30 10:30:56
ComboFix-quarantined-files.txt 2011-12-30 15:30
ComboFix2.txt 2011-12-29 14:40
.
Pre-Run: 3,310,596,096 bytes free
Post-Run: 3,314,143,232 bytes free
.
- - End Of File - - 87A3948B455CEBF31C2A8569143F52A0

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 30 December 2011 - 11:03 AM

Hi

Please run the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 30 December 2011 - 12:39 PM

TDSSKIller Log:


12:36:29.0078 2900 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
12:36:29.0468 2900 ============================================================
12:36:29.0468 2900 Current date / time: 2011/12/30 12:36:29.0468
12:36:29.0468 2900 SystemInfo:
12:36:29.0468 2900
12:36:29.0468 2900 OS Version: 5.1.2600 ServicePack: 3.0
12:36:29.0468 2900 Product type: Workstation
12:36:29.0468 2900 ComputerName: RISK-68
12:36:29.0468 2900 UserName: Staff
12:36:29.0468 2900 Windows directory: C:\WINDOWS
12:36:29.0468 2900 System windows directory: C:\WINDOWS
12:36:29.0468 2900 Processor architecture: Intel x86
12:36:29.0468 2900 Number of processors: 2
12:36:29.0468 2900 Page size: 0x1000
12:36:29.0468 2900 Boot type: Normal boot
12:36:29.0468 2900 ============================================================
12:36:29.0734 2900 Initialize success
12:36:32.0437 3584 ============================================================
12:36:32.0437 3584 Scan started
12:36:32.0437 3584 Mode: Manual;
12:36:32.0453 3584 ============================================================
12:36:32.0906 3584 Abiosdsk - ok
12:36:32.0968 3584 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
12:36:32.0968 3584 abp480n5 - ok
12:36:33.0031 3584 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:36:33.0031 3584 ACPI - ok
12:36:33.0078 3584 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:36:33.0078 3584 ACPIEC - ok
12:36:33.0125 3584 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
12:36:33.0125 3584 adpu160m - ok
12:36:33.0171 3584 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:36:33.0171 3584 aec - ok
12:36:33.0218 3584 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:36:33.0218 3584 AFD - ok
12:36:33.0265 3584 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
12:36:33.0265 3584 AFS2K - ok
12:36:33.0312 3584 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:36:33.0312 3584 agp440 - ok
12:36:33.0375 3584 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
12:36:33.0375 3584 agpCPQ - ok
12:36:33.0406 3584 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
12:36:33.0406 3584 Aha154x - ok
12:36:33.0453 3584 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
12:36:33.0453 3584 aic78u2 - ok
12:36:33.0484 3584 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
12:36:33.0484 3584 aic78xx - ok
12:36:33.0515 3584 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
12:36:33.0515 3584 AliIde - ok
12:36:33.0546 3584 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
12:36:33.0546 3584 alim1541 - ok
12:36:33.0562 3584 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
12:36:33.0562 3584 amdagp - ok
12:36:33.0578 3584 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
12:36:33.0578 3584 amsint - ok
12:36:33.0609 3584 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
12:36:33.0609 3584 asc - ok
12:36:33.0625 3584 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
12:36:33.0625 3584 asc3350p - ok
12:36:33.0640 3584 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
12:36:33.0640 3584 asc3550 - ok
12:36:33.0687 3584 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
12:36:33.0687 3584 Aspi32 - ok
12:36:33.0718 3584 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:36:33.0718 3584 AsyncMac - ok
12:36:33.0765 3584 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:36:33.0765 3584 atapi - ok
12:36:33.0796 3584 Atdisk - ok
12:36:33.0843 3584 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:36:33.0843 3584 ati2mtag - ok
12:36:33.0890 3584 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:36:33.0890 3584 Atmarpc - ok
12:36:33.0906 3584 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:36:33.0906 3584 audstub - ok
12:36:33.0937 3584 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
12:36:33.0937 3584 b57w2k - ok
12:36:33.0953 3584 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:36:33.0953 3584 Beep - ok
12:36:33.0984 3584 BrPar - ok
12:36:34.0046 3584 catchme - ok
12:36:34.0171 3584 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
12:36:34.0171 3584 cbidf - ok
12:36:34.0187 3584 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:36:34.0187 3584 cbidf2k - ok
12:36:34.0234 3584 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
12:36:34.0234 3584 cd20xrnt - ok
12:36:34.0250 3584 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:36:34.0250 3584 Cdaudio - ok
12:36:34.0296 3584 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:36:34.0296 3584 Cdfs - ok
12:36:34.0328 3584 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:36:34.0328 3584 Cdrom - ok
12:36:34.0343 3584 Changer - ok
12:36:34.0390 3584 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
12:36:34.0390 3584 CmdIde - ok
12:36:34.0406 3584 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
12:36:34.0406 3584 Cpqarray - ok
12:36:34.0437 3584 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
12:36:34.0437 3584 dac2w2k - ok
12:36:34.0453 3584 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
12:36:34.0453 3584 dac960nt - ok
12:36:34.0500 3584 DefragFS (e08557f41650b505571d50c9247a1e03) C:\WINDOWS\system32\drivers\DefragFS.sys
12:36:34.0500 3584 DefragFS - ok
12:36:34.0531 3584 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:36:34.0531 3584 Disk - ok
12:36:34.0562 3584 DM150Drv (c1e8f827343c65957f76487677711dfa) C:\WINDOWS\system32\DRIVERS\DM150Drv.sys
12:36:34.0562 3584 DM150Drv - ok
12:36:34.0625 3584 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:36:34.0625 3584 dmboot - ok
12:36:34.0656 3584 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:36:34.0656 3584 dmio - ok
12:36:34.0671 3584 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:36:34.0671 3584 dmload - ok
12:36:34.0703 3584 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:36:34.0703 3584 DMusic - ok
12:36:34.0734 3584 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
12:36:34.0734 3584 dpti2o - ok
12:36:34.0781 3584 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:36:34.0781 3584 drmkaud - ok
12:36:34.0812 3584 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
12:36:34.0812 3584 drvmcdb - ok
12:36:34.0843 3584 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
12:36:34.0843 3584 drvnddm - ok
12:36:34.0953 3584 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
12:36:34.0953 3584 DSproct - ok
12:36:35.0078 3584 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
12:36:35.0078 3584 dsunidrv - ok
12:36:35.0109 3584 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
12:36:35.0109 3584 E100B - ok
12:36:35.0250 3584 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:36:35.0265 3584 Fastfat - ok
12:36:35.0281 3584 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:36:35.0296 3584 Fdc - ok
12:36:35.0406 3584 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:36:35.0406 3584 Fips - ok
12:36:35.0437 3584 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:36:35.0437 3584 Flpydisk - ok
12:36:35.0468 3584 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:36:35.0468 3584 FltMgr - ok
12:36:35.0500 3584 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:36:35.0500 3584 Fs_Rec - ok
12:36:35.0531 3584 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:36:35.0531 3584 Ftdisk - ok
12:36:35.0562 3584 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:36:35.0562 3584 Gpc - ok
12:36:35.0593 3584 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:36:35.0593 3584 HidUsb - ok
12:36:35.0640 3584 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
12:36:35.0640 3584 hpn - ok
12:36:35.0671 3584 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:36:35.0671 3584 HTTP - ok
12:36:35.0703 3584 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
12:36:35.0703 3584 i2omgmt - ok
12:36:35.0718 3584 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
12:36:35.0718 3584 i2omp - ok
12:36:35.0750 3584 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:36:35.0750 3584 i8042prt - ok
12:36:35.0796 3584 iaStor (f26bfd48b1c314e0f23bf77acfa75940) C:\WINDOWS\system32\drivers\iaStor.sys
12:36:35.0796 3584 iaStor - ok
12:36:35.0828 3584 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:36:35.0828 3584 Imapi - ok
12:36:35.0843 3584 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
12:36:35.0843 3584 ini910u - ok
12:36:35.0875 3584 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:36:35.0875 3584 IntelIde - ok
12:36:35.0906 3584 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:36:35.0906 3584 intelppm - ok
12:36:35.0937 3584 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:36:35.0937 3584 Ip6Fw - ok
12:36:35.0953 3584 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:36:35.0968 3584 IpFilterDriver - ok
12:36:35.0984 3584 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:36:36.0000 3584 IpInIp - ok
12:36:36.0015 3584 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:36:36.0015 3584 IpNat - ok
12:36:36.0046 3584 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:36:36.0046 3584 IPSec - ok
12:36:36.0062 3584 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:36:36.0078 3584 IRENUM - ok
12:36:36.0093 3584 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:36:36.0093 3584 isapnp - ok
12:36:36.0125 3584 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:36:36.0125 3584 Kbdclass - ok
12:36:36.0156 3584 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:36:36.0156 3584 kmixer - ok
12:36:36.0187 3584 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:36:36.0187 3584 KSecDD - ok
12:36:36.0218 3584 lbrtfdc - ok
12:36:36.0250 3584 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
12:36:36.0250 3584 MBAMSwissArmy - ok
12:36:36.0281 3584 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:36:36.0281 3584 mnmdd - ok
12:36:36.0328 3584 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:36:36.0328 3584 Modem - ok
12:36:36.0343 3584 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:36:36.0343 3584 Mouclass - ok
12:36:36.0375 3584 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:36:36.0375 3584 mouhid - ok
12:36:36.0406 3584 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:36:36.0406 3584 MountMgr - ok
12:36:36.0437 3584 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
12:36:36.0437 3584 MpFilter - ok
12:36:36.0468 3584 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
12:36:36.0468 3584 mraid35x - ok
12:36:36.0500 3584 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:36:36.0500 3584 MRxDAV - ok
12:36:36.0546 3584 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:36:36.0562 3584 MRxSmb - ok
12:36:36.0593 3584 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:36:36.0593 3584 Msfs - ok
12:36:36.0625 3584 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:36:36.0625 3584 MSKSSRV - ok
12:36:36.0656 3584 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:36:36.0656 3584 MSPCLOCK - ok
12:36:36.0671 3584 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:36:36.0671 3584 MSPQM - ok
12:36:36.0703 3584 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:36:36.0703 3584 mssmbios - ok
12:36:36.0750 3584 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:36:36.0750 3584 Mup - ok
12:36:36.0765 3584 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:36:36.0765 3584 NDIS - ok
12:36:36.0812 3584 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:36:36.0812 3584 NdisTapi - ok
12:36:36.0843 3584 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:36:36.0843 3584 Ndisuio - ok
12:36:36.0875 3584 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:36:36.0875 3584 NdisWan - ok
12:36:36.0906 3584 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:36:36.0906 3584 NDProxy - ok
12:36:36.0953 3584 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:36:36.0953 3584 NetBIOS - ok
12:36:36.0968 3584 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:36:36.0968 3584 NetBT - ok
12:36:37.0015 3584 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:36:37.0015 3584 Npfs - ok
12:36:37.0046 3584 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:36:37.0046 3584 Ntfs - ok
12:36:37.0078 3584 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:36:37.0078 3584 Null - ok
12:36:37.0156 3584 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:36:37.0171 3584 nv - ok
12:36:37.0187 3584 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:36:37.0187 3584 NwlnkFlt - ok
12:36:37.0218 3584 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:36:37.0218 3584 NwlnkFwd - ok
12:36:37.0250 3584 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
12:36:37.0250 3584 omci - ok
12:36:37.0296 3584 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:36:37.0296 3584 Parport - ok
12:36:37.0312 3584 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:36:37.0312 3584 PartMgr - ok
12:36:37.0328 3584 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:36:37.0328 3584 ParVdm - ok
12:36:37.0359 3584 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:36:37.0359 3584 PCI - ok
12:36:37.0375 3584 PCIDump - ok
12:36:37.0390 3584 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:36:37.0390 3584 PCIIde - ok
12:36:37.0437 3584 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:36:37.0437 3584 Pcmcia - ok
12:36:37.0453 3584 PDCOMP - ok
12:36:37.0468 3584 PDFRAME - ok
12:36:37.0484 3584 PDRELI - ok
12:36:37.0500 3584 PDRFRAME - ok
12:36:37.0531 3584 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
12:36:37.0531 3584 perc2 - ok
12:36:37.0546 3584 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
12:36:37.0546 3584 perc2hib - ok
12:36:37.0609 3584 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:36:37.0609 3584 PptpMiniport - ok
12:36:37.0625 3584 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:36:37.0625 3584 PSched - ok
12:36:37.0656 3584 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:36:37.0656 3584 Ptilink - ok
12:36:37.0687 3584 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:36:37.0687 3584 PxHelp20 - ok
12:36:37.0703 3584 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
12:36:37.0703 3584 ql1080 - ok
12:36:37.0734 3584 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
12:36:37.0734 3584 Ql10wnt - ok
12:36:37.0750 3584 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
12:36:37.0750 3584 ql12160 - ok
12:36:37.0765 3584 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
12:36:37.0765 3584 ql1240 - ok
12:36:37.0781 3584 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
12:36:37.0781 3584 ql1280 - ok
12:36:37.0812 3584 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:36:37.0812 3584 RasAcd - ok
12:36:37.0843 3584 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:36:37.0843 3584 Rasl2tp - ok
12:36:37.0875 3584 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:36:37.0875 3584 RasPppoe - ok
12:36:37.0906 3584 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:36:37.0906 3584 Raspti - ok
12:36:37.0921 3584 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:36:37.0921 3584 Rdbss - ok
12:36:37.0937 3584 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:36:37.0937 3584 RDPCDD - ok
12:36:37.0984 3584 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:36:37.0984 3584 rdpdr - ok
12:36:38.0031 3584 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:36:38.0031 3584 RDPWD - ok
12:36:38.0078 3584 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:36:38.0078 3584 redbook - ok
12:36:38.0140 3584 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:36:38.0140 3584 Secdrv - ok
12:36:38.0187 3584 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
12:36:38.0187 3584 senfilt - ok
12:36:38.0234 3584 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:36:38.0234 3584 serenum - ok
12:36:38.0250 3584 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:36:38.0250 3584 Serial - ok
12:36:38.0281 3584 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:36:38.0296 3584 Sfloppy - ok
12:36:38.0312 3584 Simbad - ok
12:36:38.0343 3584 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
12:36:38.0343 3584 sisagp - ok
12:36:38.0375 3584 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
12:36:38.0390 3584 smwdm - ok
12:36:38.0406 3584 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
12:36:38.0406 3584 Sparrow - ok
12:36:38.0437 3584 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:36:38.0437 3584 splitter - ok
12:36:38.0468 3584 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:36:38.0468 3584 sr - ok
12:36:38.0515 3584 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:36:38.0515 3584 Srv - ok
12:36:38.0546 3584 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
12:36:38.0546 3584 sscdbhk5 - ok
12:36:38.0562 3584 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
12:36:38.0562 3584 ssrtln - ok
12:36:38.0609 3584 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:36:38.0609 3584 swenum - ok
12:36:38.0640 3584 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:36:38.0640 3584 swmidi - ok
12:36:38.0671 3584 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
12:36:38.0671 3584 symc810 - ok
12:36:38.0687 3584 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
12:36:38.0687 3584 symc8xx - ok
12:36:38.0718 3584 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
12:36:38.0718 3584 sym_hi - ok
12:36:38.0734 3584 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
12:36:38.0734 3584 sym_u3 - ok
12:36:38.0765 3584 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:36:38.0765 3584 sysaudio - ok
12:36:38.0828 3584 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:36:38.0828 3584 Tcpip - ok
12:36:38.0937 3584 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:36:38.0937 3584 TDPIPE - ok
12:36:38.0968 3584 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:36:38.0968 3584 TDTCP - ok
12:36:38.0984 3584 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:36:38.0984 3584 TermDD - ok
12:36:39.0046 3584 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
12:36:39.0046 3584 tfsnboio - ok
12:36:39.0062 3584 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
12:36:39.0062 3584 tfsncofs - ok
12:36:39.0078 3584 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
12:36:39.0078 3584 tfsndrct - ok
12:36:39.0093 3584 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
12:36:39.0093 3584 tfsndres - ok
12:36:39.0125 3584 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
12:36:39.0125 3584 tfsnifs - ok
12:36:39.0140 3584 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
12:36:39.0140 3584 tfsnopio - ok
12:36:39.0156 3584 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
12:36:39.0156 3584 tfsnpool - ok
12:36:39.0171 3584 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
12:36:39.0171 3584 tfsnudf - ok
12:36:39.0187 3584 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
12:36:39.0187 3584 tfsnudfa - ok
12:36:39.0234 3584 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
12:36:39.0234 3584 TosIde - ok
12:36:39.0281 3584 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:36:39.0281 3584 Udfs - ok
12:36:39.0296 3584 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
12:36:39.0312 3584 ultra - ok
12:36:39.0343 3584 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:36:39.0343 3584 Update - ok
12:36:39.0375 3584 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:36:39.0375 3584 usbehci - ok
12:36:39.0421 3584 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:36:39.0421 3584 usbhub - ok
12:36:39.0437 3584 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:36:39.0437 3584 usbprint - ok
12:36:39.0468 3584 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:36:39.0468 3584 USBSTOR - ok
12:36:39.0500 3584 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:36:39.0500 3584 usbuhci - ok
12:36:39.0515 3584 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:36:39.0531 3584 VgaSave - ok
12:36:39.0562 3584 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
12:36:39.0562 3584 viaagp - ok
12:36:39.0640 3584 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
12:36:39.0656 3584 ViaIde - ok
12:36:39.0687 3584 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\WINDOWS\system32\DRIVERS\vncmirror.sys
12:36:39.0687 3584 vncmirror - ok
12:36:39.0718 3584 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:36:39.0718 3584 VolSnap - ok
12:36:39.0750 3584 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:36:39.0750 3584 Wanarp - ok
12:36:39.0765 3584 WDICA - ok
12:36:39.0796 3584 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:36:39.0796 3584 wdmaud - ok
12:36:39.0875 3584 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:36:39.0875 3584 WudfPf - ok
12:36:39.0906 3584 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
12:36:40.0093 3584 \Device\Harddisk0\DR0 - ok
12:36:40.0093 3584 Boot (0x1200) (2c22f6f97770d5d6d53d9042ae1d66f1) \Device\Harddisk0\DR0\Partition0
12:36:40.0093 3584 \Device\Harddisk0\DR0\Partition0 - ok
12:36:40.0109 3584 Boot (0x1200) (5c17dd3a4bc6cc868794f9a0fde2c803) \Device\Harddisk0\DR0\Partition1
12:36:40.0109 3584 \Device\Harddisk0\DR0\Partition1 - ok
12:36:40.0109 3584 ============================================================
12:36:40.0109 3584 Scan finished
12:36:40.0109 3584 ============================================================
12:36:40.0125 1852 Detected object count: 0
12:36:40.0125 1852 Actual detected object count: 0
12:37:03.0703 1284 Deinitialize success

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 30 December 2011 - 01:49 PM

I ran ComboFix with the script you provided. ComboFix reported rootkit activity, and rebooted, then ran to completion.

do you recall what the message was about rootkit activity?

What symptoms are you still experiencing?

please run the following:


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 30 December 2011 - 05:16 PM

>>>do you recall what the message was about rootkit activity?

No, sorry, I am 30 miles away from the actual computer and was accessing it via RealVNC. When Combofix gave that error, the remote window locked up. I had one of the admins check on the computer, and that was all she saw before she allowed Combofix to reboot.

>>>What symptoms are you still experiencing?

No specific symptons at this time (other than the inability to run MBAM), but the nasties have regrown on this machine before.

>>>Download GMER Rootkit Scanner...

OK. For whatever reason, GMER takes about 6 hours to run on this machine, so it will be a while...

Edited by LMoseley, 30 December 2011 - 05:42 PM.


#14 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 31 December 2011 - 12:07 AM

Latest GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-31 00:05:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST380013 rev.8.12
Running: 1705y8xn.exe; Driver: C:\DOCUME~1\Staff\LOCALS~1\Temp\kfldrpoc.sys




---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB90F7F80]

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A225CD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:02 PM

Posted 31 December 2011 - 12:31 AM

Hi,

that log looks good.

please do the following:

Posted Image Your Java is out of date.
Java™ 6 Update 29 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users