Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection from Windows XP Security 2012 Virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 andcuriouser

andcuriouser

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 February 2012 - 12:55 PM

Picked up a Windows Security 2012 virus and went through the steps to remove that. Malwarebytes continued to show that there was a virus, and turns out that there's a rootkit infection. A pop-up bubble keeps showing from Malwarebytes saying that it's blocking an outgoing with an IP listed, always different numbers.

Here are the contents of the DDS.txt log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Run by Owner at 12:15:50 on 2012-02-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.494 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9506A73F-8C78-407A-90B8-1923FAA5B749} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\tcjvcrq5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63717
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-10-28 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2010-8-10 99896]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-3 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2006-10-30 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-3 20464]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-10-28 238464]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 efAuditorService.exe;eFilm Audit Service;"c:\program files\merge efilm\efilm\auditor\efauditorservice.exe" --> c:\program files\merge efilm\efilm\auditor\efAuditorService.exe [?]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-8-3 104000]
S2 ndasscsi;JiaoIO;c:\windows\system32\svchost.exe -k netsvcs [2008-10-28 14336]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-9-10 28672]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-8-25 7680]
S3 SlsService;SlsService;"c:\program files\merge efilm\efilm\slsservice.exe" --> c:\program files\merge efilm\efilm\SlsService.exe [?]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-8-25 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-8-25 104960]
.
=============== Created Last 30 ================
.
2012-02-19 17:11:25 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f84d26b6-c61e-4a86-8946-b00e288b0e60}\offreg.dll
2012-02-19 09:18:33 -------- d-----w- c:\program files\WinPcap
2012-02-19 05:07:10 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f84d26b6-c61e-4a86-8946-b00e288b0e60}\mpengine.dll
2012-02-19 05:07:03 87176 ----a-w- c:\windows\system32\x5vVb8.com
2012-02-19 04:55:48 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-19 04:55:48 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-19 04:55:26 -------- d-----w- c:\documents and settings\owner\application data\Antivirus Protection
2012-02-19 04:26:01 87176 ----a-w- c:\windows\system32\x5vVb8.com_
2012-02-17 22:21:11 -------- d-----w- C:\2d2a41a99847aed6f5aa7f24aeb2
2012-02-17 17:02:29 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 18:02:02 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-02-14 18:02:01 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-02-14 18:02:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-02-14 18:02:01 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2012-01-28 05:39:13 -------- d-----w- c:\program files\iPod
2012-01-28 05:38:48 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:16:59.73 ===============


Thank you so much for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 19 February 2012 - 06:14 PM

Hi,

Please do the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs



NEXT




Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • As we are only looking for a log of what is on the machine right now > choose to skip whatever is found
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Edited by CatByte, 19 February 2012 - 07:41 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 February 2012 - 07:45 PM

Thanks for the quick reply!

I've attached the results of the OTL scan, as they were too long to post.


I ran the TDSSKiller as instructed, and it finishes in seconds with "No Threats Found". There's no prompt to reboot or anything like that. /:

Here is the log anyway:
19:33:24.0265 2732 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
19:33:25.0937 2732 ============================================================
19:33:25.0937 2732 Current date / time: 2012/02/19 19:33:25.0937
19:33:25.0953 2732 SystemInfo:
19:33:25.0953 2732
19:33:25.0953 2732 OS Version: 5.1.2600 ServicePack: 3.0
19:33:25.0953 2732 Product type: Workstation
19:33:25.0953 2732 ComputerName: SAMSUNGNC
19:33:25.0953 2732 UserName: Owner
19:33:25.0953 2732 Windows directory: C:\WINDOWS
19:33:25.0953 2732 System windows directory: C:\WINDOWS
19:33:25.0953 2732 Processor architecture: Intel x86
19:33:25.0953 2732 Number of processors: 2
19:33:25.0953 2732 Page size: 0x1000
19:33:25.0953 2732 Boot type: Normal boot
19:33:25.0953 2732 ============================================================
19:33:39.0421 2732 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:33:39.0859 2732 \Device\Harddisk0\DR0:
19:33:40.0125 2732 MBR used
19:33:40.0125 2732 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xC02F10, BlocksNum 0x8E168F0
19:33:40.0125 2732 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x9A19800, BlocksNum 0x8FFF800
19:33:40.0281 2732 Initialize success
19:33:40.0281 2732 ============================================================
19:34:44.0468 2704 ============================================================
19:34:44.0468 2704 Scan started
19:34:44.0468 2704 Mode: Manual; TDLFS;
19:34:44.0468 2704 ============================================================
19:34:45.0656 2704 Abiosdsk - ok
19:34:45.0656 2704 abp480n5 - ok
19:34:45.0687 2704 ACPI - ok
19:34:45.0703 2704 ACPIEC - ok
19:34:45.0734 2704 adpu160m - ok
19:34:45.0765 2704 aec - ok
19:34:45.0796 2704 AFD - ok
19:34:45.0812 2704 Aha154x - ok
19:34:45.0875 2704 aic78u2 - ok
19:34:45.0890 2704 aic78xx - ok
19:34:45.0921 2704 AliIde - ok
19:34:45.0937 2704 amsint - ok
19:34:45.0968 2704 AR5416 - ok
19:34:46.0031 2704 asc - ok
19:34:46.0062 2704 asc3350p - ok
19:34:46.0093 2704 asc3550 - ok
19:34:46.0171 2704 AsyncMac - ok
19:34:46.0187 2704 atapi - ok
19:34:46.0203 2704 Atdisk - ok
19:34:46.0218 2704 Atmarpc - ok
19:34:46.0250 2704 audstub - ok
19:34:46.0281 2704 Beep - ok
19:34:46.0328 2704 btaudio - ok
19:34:46.0343 2704 BTDriver - ok
19:34:46.0359 2704 BTKRNL - ok
19:34:46.0406 2704 BTWDNDIS - ok
19:34:46.0421 2704 BTWUSB - ok
19:34:46.0437 2704 cbidf2k - ok
19:34:46.0453 2704 CCDECODE - ok
19:34:46.0468 2704 cd20xrnt - ok
19:34:46.0484 2704 Cdaudio - ok
19:34:46.0515 2704 Cdfs - ok
19:34:46.0531 2704 Cdrom - ok
19:34:46.0546 2704 Changer - ok
19:34:46.0593 2704 CmBatt - ok
19:34:46.0625 2704 CmdIde - ok
19:34:46.0640 2704 Compbatt - ok
19:34:46.0687 2704 Cpqarray - ok
19:34:46.0718 2704 dac2w2k - ok
19:34:46.0734 2704 dac960nt - ok
19:34:46.0781 2704 Disk - ok
19:34:46.0812 2704 dmboot - ok
19:34:46.0828 2704 dmio - ok
19:34:46.0843 2704 dmload - ok
19:34:46.0875 2704 DMusic - ok
19:34:46.0921 2704 DNSeFilter - ok
19:34:46.0937 2704 DOSMEMIO - ok
19:34:46.0968 2704 dpti2o - ok
19:34:46.0984 2704 drmkaud - ok
19:34:47.0031 2704 Fastfat - ok
19:34:47.0062 2704 Fdc - ok
19:34:47.0093 2704 Fips - ok
19:34:47.0109 2704 Flpydisk - ok
19:34:47.0125 2704 FltMgr - ok
19:34:47.0156 2704 Fs_Rec - ok
19:34:47.0171 2704 Ftdisk - ok
19:34:47.0203 2704 GEARAspiWDM - ok
19:34:47.0234 2704 Gpc - ok
19:34:47.0250 2704 HDAudBus - ok
19:34:47.0312 2704 HidUsb - ok
19:34:47.0343 2704 hpn - ok
19:34:47.0375 2704 HTTP - ok
19:34:47.0406 2704 i2omgmt - ok
19:34:47.0421 2704 i2omp - ok
19:34:47.0437 2704 i8042prt - ok
19:34:47.0484 2704 ialm - ok
19:34:47.0500 2704 Imapi - ok
19:34:47.0562 2704 ini910u - ok
19:34:47.0593 2704 IntcAzAudAddService - ok
19:34:47.0609 2704 IntelIde - ok
19:34:47.0640 2704 intelppm - ok
19:34:47.0656 2704 Ip6Fw - ok
19:34:47.0671 2704 IpFilterDriver - ok
19:34:47.0687 2704 IpInIp - ok
19:34:47.0703 2704 IpNat - ok
19:34:47.0734 2704 IPSec - ok
19:34:47.0765 2704 IRENUM - ok
19:34:47.0781 2704 isapnp - ok
19:34:47.0812 2704 Kbdclass - ok
19:34:47.0828 2704 kbdhid - ok
19:34:47.0859 2704 kmixer - ok
19:34:47.0890 2704 KSecDD - ok
19:34:47.0921 2704 lbrtfdc - ok
19:34:47.0953 2704 libusb0 - ok
19:34:48.0015 2704 lmimirr - ok
19:34:48.0015 2704 massfilter - ok
19:34:48.0031 2704 MBAMProtector - ok
19:34:48.0109 2704 mferkdk - ok
19:34:48.0125 2704 mnmdd - ok
19:34:48.0171 2704 Modem - ok
19:34:48.0187 2704 Mouclass - ok
19:34:48.0218 2704 mouhid - ok
19:34:48.0250 2704 MountMgr - ok
19:34:48.0250 2704 MpFilter - ok
19:34:48.0265 2704 MpKslfbf4ff51 - ok
19:34:48.0296 2704 mraid35x - ok
19:34:48.0312 2704 MRxDAV - ok
19:34:48.0343 2704 MRxSmb - ok
19:34:48.0390 2704 Msfs - ok
19:34:48.0421 2704 MSKSSRV - ok
19:34:48.0437 2704 MSPCLOCK - ok
19:34:48.0468 2704 MSPQM - ok
19:34:48.0484 2704 mssmbios - ok
19:34:48.0515 2704 MSTEE - ok
19:34:48.0546 2704 Mup - ok
19:34:48.0562 2704 NABTSFEC - ok
19:34:48.0609 2704 NDIS - ok
19:34:48.0625 2704 NdisIP - ok
19:34:48.0625 2704 NdisTapi - ok
19:34:48.0656 2704 Ndisuio - ok
19:34:48.0656 2704 NdisWan - ok
19:34:48.0687 2704 NDProxy - ok
19:34:48.0687 2704 NetBIOS - ok
19:34:48.0703 2704 NetBT - ok
19:34:48.0781 2704 npf - ok
19:34:48.0796 2704 Npfs - ok
19:34:48.0812 2704 Ntfs - ok
19:34:48.0843 2704 Null - ok
19:34:48.0859 2704 NwlnkFlt - ok
19:34:48.0890 2704 NwlnkFwd - ok
19:34:48.0921 2704 Parport - ok
19:34:48.0937 2704 PartMgr - ok
19:34:48.0968 2704 ParVdm - ok
19:34:48.0984 2704 PCI - ok
19:34:49.0000 2704 PCIDump - ok
19:34:49.0015 2704 PCIIde - ok
19:34:49.0031 2704 Pcmcia - ok
19:34:49.0046 2704 PDCOMP - ok
19:34:49.0062 2704 PDFRAME - ok
19:34:49.0078 2704 PDRELI - ok
19:34:49.0093 2704 PDRFRAME - ok
19:34:49.0125 2704 perc2 - ok
19:34:49.0140 2704 perc2hib - ok
19:34:49.0203 2704 Point32 - ok
19:34:49.0218 2704 PptpMiniport - ok
19:34:49.0250 2704 PSched - ok
19:34:49.0281 2704 Ptilink - ok
19:34:49.0296 2704 PxHelp20 - ok
19:34:49.0312 2704 ql1080 - ok
19:34:49.0328 2704 Ql10wnt - ok
19:34:49.0343 2704 ql12160 - ok
19:34:49.0359 2704 ql1240 - ok
19:34:49.0375 2704 ql1280 - ok
19:34:49.0390 2704 RasAcd - ok
19:34:49.0421 2704 Rasl2tp - ok
19:34:49.0453 2704 RasPppoe - ok
19:34:49.0484 2704 Raspti - ok
19:34:49.0500 2704 Rdbss - ok
19:34:49.0515 2704 RDPCDD - ok
19:34:49.0562 2704 RDPWD - ok
19:34:49.0578 2704 redbook - ok
19:34:49.0609 2704 RimUsb - ok
19:34:49.0625 2704 RimVSerPort - ok
19:34:49.0640 2704 ROOTMODEM - ok
19:34:49.0750 2704 Secdrv - ok
19:34:49.0812 2704 Serial - ok
19:34:49.0859 2704 Sfloppy - ok
19:34:49.0875 2704 Simbad - ok
19:34:49.0906 2704 SLIP - ok
19:34:49.0937 2704 Sparrow - ok
19:34:49.0953 2704 splitter - ok
19:34:49.0984 2704 sr - ok
19:34:50.0000 2704 Srv - ok
19:34:50.0031 2704 streamip - ok
19:34:50.0046 2704 swenum - ok
19:34:50.0062 2704 swmidi - ok
19:34:50.0093 2704 symc810 - ok
19:34:50.0109 2704 symc8xx - ok
19:34:50.0125 2704 sym_hi - ok
19:34:50.0156 2704 sym_u3 - ok
19:34:50.0171 2704 SynTP - ok
19:34:50.0203 2704 sysaudio - ok
19:34:50.0234 2704 Tcpip - ok
19:34:50.0250 2704 TDPIPE - ok
19:34:50.0265 2704 TDTCP - ok
19:34:50.0281 2704 TermDD - ok
19:34:50.0312 2704 TosIde - ok
19:34:50.0343 2704 Udfs - ok
19:34:50.0359 2704 ultra - ok
19:34:50.0375 2704 Update - ok
19:34:50.0406 2704 USBAAPL - ok
19:34:50.0421 2704 usbccgp - ok
19:34:50.0437 2704 usbehci - ok
19:34:50.0453 2704 usbhub - ok
19:34:50.0468 2704 usbprint - ok
19:34:50.0562 2704 usbscan - ok
19:34:50.0562 2704 USBSTOR - ok
19:34:50.0578 2704 usbuhci - ok
19:34:50.0625 2704 usbvideo - ok
19:34:50.0640 2704 VgaSave - ok
19:34:50.0656 2704 ViaIde - ok
19:34:50.0687 2704 VMC326 - ok
19:34:50.0687 2704 VolSnap - ok
19:34:50.0734 2704 Wanarp - ok
19:34:50.0750 2704 Wdf01000 - ok
19:34:50.0765 2704 WDICA - ok
19:34:50.0781 2704 wdmaud - ok
19:34:50.0890 2704 WSTCODEC - ok
19:34:50.0906 2704 WudfPf - ok
19:34:50.0921 2704 WudfRd - ok
19:34:50.0953 2704 yukonwxp - ok
19:34:50.0968 2704 ZTEusbmdm6k - ok
19:34:51.0015 2704 ZTEusbnet - ok
19:34:51.0046 2704 ZTEusbnmea - ok
19:34:51.0062 2704 ZTEusbser6k - ok
19:34:51.0078 2704 ZTEusbvoice - ok
19:34:51.0187 2704 MBR (0x1B8) (a0a345f7ab6f3bac008fb0de602e66cd) \Device\Harddisk0\DR0
19:34:52.0078 2704 \Device\Harddisk0\DR0 - ok
19:34:52.0109 2704 Boot (0x1200) (c3fb5943198e355751a1c5f7ab071f19) \Device\Harddisk0\DR0\Partition0
19:34:52.0125 2704 \Device\Harddisk0\DR0\Partition0 - ok
19:34:52.0156 2704 Boot (0x1200) (fdeabab6ff5dd1e724573e23773fe6f6) \Device\Harddisk0\DR0\Partition1
19:34:52.0156 2704 \Device\Harddisk0\DR0\Partition1 - ok
19:34:52.0171 2704 ============================================================
19:34:52.0171 2704 Scan finished
19:34:52.0171 2704 ============================================================
19:34:52.0203 0596 Detected object count: 0
19:34:52.0203 0596 Actual detected object count: 0
19:39:48.0281 1556 ============================================================
19:39:48.0281 1556 Scan started
19:39:48.0281 1556 Mode: Manual; TDLFS;
19:39:48.0281 1556 ============================================================
19:39:48.0703 1556 Abiosdsk - ok
19:39:48.0703 1556 abp480n5 - ok
19:39:48.0718 1556 ACPI - ok
19:39:48.0734 1556 ACPIEC - ok
19:39:48.0750 1556 adpu160m - ok
19:39:48.0750 1556 aec - ok
19:39:48.0765 1556 AFD - ok
19:39:48.0781 1556 Aha154x - ok
19:39:48.0796 1556 aic78u2 - ok
19:39:48.0812 1556 aic78xx - ok
19:39:48.0843 1556 AliIde - ok
19:39:48.0859 1556 amsint - ok
19:39:48.0906 1556 AR5416 - ok
19:39:48.0937 1556 asc - ok
19:39:48.0937 1556 asc3350p - ok
19:39:48.0953 1556 asc3550 - ok
19:39:49.0015 1556 AsyncMac - ok
19:39:49.0031 1556 atapi - ok
19:39:49.0046 1556 Atdisk - ok
19:39:49.0046 1556 Atmarpc - ok
19:39:49.0078 1556 audstub - ok
19:39:49.0093 1556 Beep - ok
19:39:49.0140 1556 btaudio - ok
19:39:49.0156 1556 BTDriver - ok
19:39:49.0171 1556 BTKRNL - ok
19:39:49.0187 1556 BTWDNDIS - ok
19:39:49.0203 1556 BTWUSB - ok
19:39:49.0218 1556 cbidf2k - ok
19:39:49.0234 1556 CCDECODE - ok
19:39:49.0250 1556 cd20xrnt - ok
19:39:49.0265 1556 Cdaudio - ok
19:39:49.0281 1556 Cdfs - ok
19:39:49.0296 1556 Cdrom - ok
19:39:49.0312 1556 Changer - ok
19:39:49.0343 1556 CmBatt - ok
19:39:49.0359 1556 CmdIde - ok
19:39:49.0375 1556 Compbatt - ok
19:39:49.0406 1556 Cpqarray - ok
19:39:49.0421 1556 dac2w2k - ok
19:39:49.0437 1556 dac960nt - ok
19:39:49.0468 1556 Disk - ok
19:39:49.0484 1556 dmboot - ok
19:39:49.0500 1556 dmio - ok
19:39:49.0515 1556 dmload - ok
19:39:49.0546 1556 DMusic - ok
19:39:49.0578 1556 DNSeFilter - ok
19:39:49.0593 1556 DOSMEMIO - ok
19:39:49.0609 1556 dpti2o - ok
19:39:49.0625 1556 drmkaud - ok
19:39:49.0671 1556 Fastfat - ok
19:39:49.0687 1556 Fdc - ok
19:39:49.0718 1556 Fips - ok
19:39:49.0734 1556 Flpydisk - ok
19:39:49.0750 1556 FltMgr - ok
19:39:49.0781 1556 Fs_Rec - ok
19:39:49.0781 1556 Ftdisk - ok
19:39:49.0796 1556 GEARAspiWDM - ok
19:39:49.0828 1556 Gpc - ok
19:39:49.0843 1556 HDAudBus - ok
19:39:49.0859 1556 HidUsb - ok
19:39:49.0875 1556 hpn - ok
19:39:49.0906 1556 HTTP - ok
19:39:49.0921 1556 i2omgmt - ok
19:39:49.0921 1556 i2omp - ok
19:39:49.0937 1556 i8042prt - ok
19:39:49.0953 1556 ialm - ok
19:39:49.0968 1556 Imapi - ok
19:39:50.0000 1556 ini910u - ok
19:39:50.0031 1556 IntcAzAudAddService - ok
19:39:50.0031 1556 IntelIde - ok
19:39:50.0046 1556 intelppm - ok
19:39:50.0062 1556 Ip6Fw - ok
19:39:50.0078 1556 IpFilterDriver - ok
19:39:50.0078 1556 IpInIp - ok
19:39:50.0093 1556 IpNat - ok
19:39:50.0109 1556 IPSec - ok
19:39:50.0125 1556 IRENUM - ok
19:39:50.0156 1556 isapnp - ok
19:39:50.0171 1556 Kbdclass - ok
19:39:50.0171 1556 kbdhid - ok
19:39:50.0187 1556 kmixer - ok
19:39:50.0203 1556 KSecDD - ok
19:39:50.0218 1556 lbrtfdc - ok
19:39:50.0234 1556 libusb0 - ok
19:39:50.0250 1556 lmimirr - ok
19:39:50.0265 1556 massfilter - ok
19:39:50.0281 1556 MBAMProtector - ok
19:39:50.0312 1556 mferkdk - ok
19:39:50.0312 1556 mnmdd - ok
19:39:50.0328 1556 Modem - ok
19:39:50.0343 1556 Mouclass - ok
19:39:50.0359 1556 mouhid - ok
19:39:50.0359 1556 MountMgr - ok
19:39:50.0375 1556 MpFilter - ok
19:39:50.0390 1556 MpKslfbf4ff51 - ok
19:39:50.0390 1556 mraid35x - ok
19:39:50.0406 1556 MRxDAV - ok
19:39:50.0421 1556 MRxSmb - ok
19:39:50.0437 1556 Msfs - ok
19:39:50.0453 1556 MSKSSRV - ok
19:39:50.0468 1556 MSPCLOCK - ok
19:39:50.0484 1556 MSPQM - ok
19:39:50.0500 1556 mssmbios - ok
19:39:50.0500 1556 MSTEE - ok
19:39:50.0515 1556 Mup - ok
19:39:50.0531 1556 NABTSFEC - ok
19:39:50.0546 1556 NDIS - ok
19:39:50.0546 1556 NdisIP - ok
19:39:50.0562 1556 NdisTapi - ok
19:39:50.0578 1556 Ndisuio - ok
19:39:50.0593 1556 NdisWan - ok
19:39:50.0593 1556 NDProxy - ok
19:39:50.0609 1556 NetBIOS - ok
19:39:50.0625 1556 NetBT - ok
19:39:50.0671 1556 npf - ok
19:39:50.0671 1556 Npfs - ok
19:39:50.0687 1556 Ntfs - ok
19:39:50.0703 1556 Null - ok
19:39:50.0718 1556 NwlnkFlt - ok
19:39:50.0734 1556 NwlnkFwd - ok
19:39:50.0750 1556 Parport - ok
19:39:50.0765 1556 PartMgr - ok
19:39:50.0781 1556 ParVdm - ok
19:39:50.0796 1556 PCI - ok
19:39:50.0812 1556 PCIDump - ok
19:39:50.0812 1556 PCIIde - ok
19:39:50.0828 1556 Pcmcia - ok
19:39:50.0843 1556 PDCOMP - ok
19:39:50.0843 1556 PDFRAME - ok
19:39:50.0859 1556 PDRELI - ok
19:39:50.0875 1556 PDRFRAME - ok
19:39:50.0890 1556 perc2 - ok
19:39:50.0890 1556 perc2hib - ok
19:39:50.0937 1556 Point32 - ok
19:39:50.0953 1556 PptpMiniport - ok
19:39:50.0968 1556 PSched - ok
19:39:50.0984 1556 Ptilink - ok
19:39:50.0984 1556 PxHelp20 - ok
19:39:51.0000 1556 ql1080 - ok
19:39:51.0015 1556 Ql10wnt - ok
19:39:51.0015 1556 ql12160 - ok
19:39:51.0031 1556 ql1240 - ok
19:39:51.0046 1556 ql1280 - ok
19:39:51.0062 1556 RasAcd - ok
19:39:51.0093 1556 Rasl2tp - ok
19:39:51.0109 1556 RasPppoe - ok
19:39:51.0109 1556 Raspti - ok
19:39:51.0125 1556 Rdbss - ok
19:39:51.0140 1556 RDPCDD - ok
19:39:51.0156 1556 RDPWD - ok
19:39:51.0171 1556 redbook - ok
19:39:51.0187 1556 RimUsb - ok
19:39:51.0203 1556 RimVSerPort - ok
19:39:51.0218 1556 ROOTMODEM - ok
19:39:51.0265 1556 Secdrv - ok
19:39:51.0281 1556 Serial - ok
19:39:51.0312 1556 Sfloppy - ok
19:39:51.0328 1556 Simbad - ok
19:39:51.0343 1556 SLIP - ok
19:39:51.0375 1556 Sparrow - ok
19:39:51.0375 1556 splitter - ok
19:39:51.0406 1556 sr - ok
19:39:51.0421 1556 Srv - ok
19:39:51.0437 1556 streamip - ok
19:39:51.0453 1556 swenum - ok
19:39:51.0453 1556 swmidi - ok
19:39:51.0468 1556 symc810 - ok
19:39:51.0484 1556 symc8xx - ok
19:39:51.0500 1556 sym_hi - ok
19:39:51.0515 1556 sym_u3 - ok
19:39:51.0515 1556 SynTP - ok
19:39:51.0531 1556 sysaudio - ok
19:39:51.0546 1556 Tcpip - ok
19:39:51.0562 1556 TDPIPE - ok
19:39:51.0578 1556 TDTCP - ok
19:39:51.0578 1556 TermDD - ok
19:39:51.0609 1556 TosIde - ok
19:39:51.0625 1556 Udfs - ok
19:39:51.0640 1556 ultra - ok
19:39:51.0656 1556 Update - ok
19:39:51.0671 1556 USBAAPL - ok
19:39:51.0687 1556 usbccgp - ok
19:39:51.0703 1556 usbehci - ok
19:39:51.0703 1556 usbhub - ok
19:39:51.0718 1556 usbprint - ok
19:39:51.0734 1556 usbscan - ok
19:39:51.0734 1556 USBSTOR - ok
19:39:51.0750 1556 usbuhci - ok
19:39:51.0765 1556 usbvideo - ok
19:39:51.0781 1556 VgaSave - ok
19:39:51.0781 1556 ViaIde - ok
19:39:51.0796 1556 VMC326 - ok
19:39:51.0812 1556 VolSnap - ok
19:39:51.0843 1556 Wanarp - ok
19:39:51.0843 1556 Wdf01000 - ok
19:39:51.0859 1556 WDICA - ok
19:39:51.0875 1556 wdmaud - ok
19:39:51.0937 1556 WSTCODEC - ok
19:39:51.0953 1556 WudfPf - ok
19:39:51.0968 1556 WudfRd - ok
19:39:52.0000 1556 yukonwxp - ok
19:39:52.0000 1556 ZTEusbmdm6k - ok
19:39:52.0015 1556 ZTEusbnet - ok
19:39:52.0031 1556 ZTEusbnmea - ok
19:39:52.0046 1556 ZTEusbser6k - ok
19:39:52.0046 1556 ZTEusbvoice - ok
19:39:52.0109 1556 MBR (0x1B8) (a0a345f7ab6f3bac008fb0de602e66cd) \Device\Harddisk0\DR0
19:39:52.0640 1556 \Device\Harddisk0\DR0 - ok
19:39:52.0640 1556 Boot (0x1200) (c3fb5943198e355751a1c5f7ab071f19) \Device\Harddisk0\DR0\Partition0
19:39:52.0640 1556 \Device\Harddisk0\DR0\Partition0 - ok
19:39:52.0687 1556 Boot (0x1200) (fdeabab6ff5dd1e724573e23773fe6f6) \Device\Harddisk0\DR0\Partition1
19:39:52.0687 1556 \Device\Harddisk0\DR0\Partition1 - ok
19:39:52.0687 1556 ============================================================
19:39:52.0687 1556 Scan finished
19:39:52.0687 1556 ============================================================
19:39:52.0906 3104 Detected object count: 0
19:39:52.0906 3104 Actual detected object count: 0


Thank you!

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 19 February 2012 - 08:12 PM

Hi

please do the following:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
    MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
    SRV - [2008/04/14 07:00:00 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\6to4.dll -- (GENERICDRV)
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
    FF - prefs.js..network.proxy.http_port: 63717
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    [2012/02/18 23:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Antivirus Protection
    [2011/05/04 18:06:13 | 000,012,604 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\i2152v11p7d4sg8
    [2011/05/04 18:06:13 | 000,012,604 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\i2152v11p7d4sg8
    [2011/05/03 21:24:01 | 000,016,380 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ycbh2647ydy7f
    [2011/05/03 21:24:01 | 000,016,380 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ycbh2647ydy7f
    [2011/05/03 20:58:53 | 000,016,516 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\x5si1vjuiny5
    [2011/05/03 20:58:53 | 000,016,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\x5si1vjuiny5
    [2012/02/18 23:26:06 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\D8YguXdx.dat
    [2012/02/19 00:07:03 | 000,087,176 | ---- | C] () -- C:\WINDOWS\System32\x5vVb8.com
    [2012/02/18 23:26:01 | 000,087,176 | ---- | C] () -- C:\WINDOWS\System32\x5vVb8.com_
    NetSvcs: GENERICDRV - C:\WINDOWS\system32\6to4.dll (Oak Technology Inc.)
    NetSvcs: 6to4 - C:\WINDOWS\System32\6to4.dll (Oak Technology Inc.)
     
    :files
    rmdir C:\WINDOWS\$NtUninstallKB9507$ /c
    C:\WINDOWS\Tasks\At*.job
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log



NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 20 February 2012 - 12:46 PM

Sorry for the delay, and thank you again.

I copy-pasted and clicked Run Fix in OTL. After a moment, it closes down both antivirus programs but then seems to hang. The bottom bar reads "Killing processes. DO NOT INTERRUPT..." but it doesn't seem to be doing anything, even after leaving it run for a few hours.

What should I do?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 20 February 2012 - 01:12 PM

restart your computer and try closing out the antivirus programs first before starting the fix

then use this modified script

:OTL
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
SRV - [2008/04/14 07:00:00 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\6to4.dll -- (GENERICDRV)
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
FF - prefs.js..network.proxy.http_port: 63717
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
[2012/02/18 23:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Antivirus Protection
[2011/05/04 18:06:13 | 000,012,604 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\i2152v11p7d4sg8
[2011/05/04 18:06:13 | 000,012,604 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\i2152v11p7d4sg8
[2011/05/03 21:24:01 | 000,016,380 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ycbh2647ydy7f
[2011/05/03 21:24:01 | 000,016,380 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ycbh2647ydy7f
[2011/05/03 20:58:53 | 000,016,516 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\x5si1vjuiny5
[2011/05/03 20:58:53 | 000,016,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\x5si1vjuiny5
[2012/02/18 23:26:06 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\D8YguXdx.dat
[2012/02/19 00:07:03 | 000,087,176 | ---- | C] () -- C:\WINDOWS\System32\x5vVb8.com
[2012/02/18 23:26:01 | 000,087,176 | ---- | C] () -- C:\WINDOWS\System32\x5vVb8.com_
NetSvcs: GENERICDRV - C:\WINDOWS\system32\6to4.dll (Oak Technology Inc.)
NetSvcs: 6to4 - C:\WINDOWS\System32\6to4.dll (Oak Technology Inc.)
 
:files
rmdir C:\WINDOWS\$NtUninstallKB9507$ /c
C:\WINDOWS\Tasks\At*.job
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[Reboot]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 20 February 2012 - 01:52 PM

Nope, still hangs at the same spot, even after completely closing Microsoft Security Essentials and Malwarebytes and using the modified code. OTL almost immediately stops responding.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 20 February 2012 - 02:12 PM

what spot is it hanging on? does it say in the bottom of the window what it is scanning when it hangs?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 20 February 2012 - 02:16 PM

It hasn't actually begun to scan anything, I don't think. The bottom of the window just says "Killing processes. Do not interrupt..." It doesn't get past that point.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 20 February 2012 - 02:23 PM

OK

we'll have to come back to that then,

please move on to ComboFix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 22 February 2012 - 09:28 AM

Sorry for the delay - was away from my computer for a while. Thanks for helping.

Ran ComboFix without a problem. Here is the log.txt:

ComboFix 12-02-19.02 - Owner 02/22/2012 8:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.575 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\My Documents\~WRL0419.tmp
c:\documents and settings\Owner\My Documents\~WRL0668.tmp
c:\documents and settings\Owner\My Documents\~WRL1486.tmp
c:\documents and settings\Owner\My Documents\~WRL1625.tmp
c:\documents and settings\Owner\My Documents\~WRL2345.tmp
c:\documents and settings\Owner\My Documents\~WRL2678.tmp
c:\documents and settings\Owner\My Documents\~WRL2803.tmp
c:\documents and settings\Owner\My Documents\~WRL3543.tmp
c:\documents and settings\Owner\My Documents\~WRL3798.tmp
c:\windows\$NtUninstallKB9507$\2855702293\@
c:\windows\$NtUninstallKB9507$\2855702293\cfg.ini
c:\windows\$NtUninstallKB9507$\2855702293\Desktop.ini
c:\windows\$NtUninstallKB9507$\2855702293\L\anmabhgq
c:\windows\$NtUninstallKB9507$\2855702293\oemid
c:\windows\$NtUninstallKB9507$\2855702293\U\00000001.$
c:\windows\$NtUninstallKB9507$\2855702293\U\00000001.@
c:\windows\$NtUninstallKB9507$\2855702293\U\00000002.@
c:\windows\$NtUninstallKB9507$\2855702293\U\00000004.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000000.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000004.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000032.@
c:\windows\$NtUninstallKB9507$\2855702293\version
c:\windows\$NtUninstallKB9507$\4076633124
c:\windows\system32\SET163F.tmp
c:\windows\system32\SET1643.tmp
c:\windows\system32\SET1647.tmp
c:\windows\system32\SET1648.tmp
c:\windows\system32\SET1650.tmp
c:\windows\system32\SET1652.tmp
D:\install.exe
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-22 14:18 . 2012-02-22 14:18 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F84D26B6-C61E-4A86-8946-B00E288B0E60}\offreg.dll
2012-02-20 21:37 . 2008-10-16 15:07 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-20 02:02 . 2012-02-20 02:02 -------- d-----w- C:\_OTL
2012-02-19 09:18 . 2012-02-19 09:18 -------- d-----w- c:\program files\WinPcap
2012-02-19 05:07 . 2012-01-17 09:39 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F84D26B6-C61E-4A86-8946-B00E288B0E60}\mpengine.dll
2012-02-19 05:07 . 2012-02-19 04:29 87176 ----a-w- c:\windows\system32\x5vVb8.com
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Antivirus Protection
2012-02-19 04:38 . 2012-02-19 04:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-19 04:27 . 2012-02-19 04:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-02-17 22:21 . 2012-02-19 04:48 -------- d-----w- C:\2d2a41a99847aed6f5aa7f24aeb2
2012-02-17 17:02 . 2012-02-20 21:21 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 18:02 . 2012-02-19 17:42 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-02-14 18:02 . 2012-02-19 17:42 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-02-14 18:02 . 2012-02-19 17:42 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2012-02-14 18:02 . 2012-02-14 18:02 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-01-28 05:39 . 2012-01-28 05:39 -------- d-----w- c:\program files\iPod
2012-01-28 05:38 . 2012-01-28 05:40 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2011-11-21 17:27 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 20:24 . 2011-05-04 04:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-19 17:42 . 2012-02-14 18:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 12:00 . 11028C6A84A967070CB1286550F2058F . 5632 . . [2, 2, 0, 0] . . c:\windows\system32\6to4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-08 2768896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\AOE2\\age2_exp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9100:TCP"= 9100:TCP:Advanced TCP/IP Printer Port
"427:TCP"= 427:TCP:Advanced TCP/IP SLP Port
"161:TCP"= 161:TCP:Advanced TCP/IP SNMP Port
.
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [10/28/2008 9:00 PM 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [8/10/2010 4:35 AM 99896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2011 11:39 PM 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 4:23 PM 35088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 5:29 PM 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 10:01 PM 30208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2011 11:39 PM 20464]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [10/28/2008 9:04 PM 238464]
S2 efAuditorService.exe;eFilm Audit Service;"c:\program files\Merge eFilm\eFilm\Auditor\efAuditorService.exe" --> c:\program files\Merge eFilm\eFilm\Auditor\efAuditorService.exe [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [9/10/2009 9:47 AM 28672]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/25/2009 6:48 PM 7680]
S3 SlsService;SlsService;"c:\program files\Merge eFilm\eFilm\SlsService.exe" --> c:\program files\Merge eFilm\eFilm\SlsService.exe [?]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [8/25/2009 6:51 PM 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [8/25/2009 6:50 PM 104960]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PCASp50
ikhlayer
ndasscsi
GENERICDRV
FileDisk
arc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-19 c:\windows\Tasks\At1.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At10.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At11.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At12.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At13.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At14.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At15.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At16.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At17.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At18.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At19.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At2.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At20.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At21.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At22.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At23.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At24.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At25.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At26.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At27.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At28.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At29.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At3.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At30.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At31.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At32.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-22 c:\windows\Tasks\At33.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At34.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At35.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At36.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At37.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At38.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At39.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At4.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At40.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At41.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At42.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At43.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At44.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At45.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At46.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At47.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At48.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At49.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At5.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At50.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At51.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At52.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At53.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At54.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At55.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At56.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At57.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At58.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At59.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At6.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At60.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At61.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At62.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At63.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At64.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At65.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At66.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At67.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At68.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At69.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At7.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At70.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At71.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At72.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At73.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At74.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At75.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At76.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At77.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At78.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At79.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At8.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At80.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-22 c:\windows\Tasks\At81.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-22 c:\windows\Tasks\At82.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At83.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At84.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At85.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At86.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At87.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At88.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At89.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At9.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At90.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At91.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At92.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At93.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-19 c:\windows\Tasks\At94.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At95.job
- c:\windows\system32\x5vVb8.com [2012-02-19 04:29]
.
2012-02-20 c:\windows\Tasks\At96.job
- c:\windows\system32\x5vVb8.com_ [2012-02-19 04:29]
.
2012-02-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tcjvcrq5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63717
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\X5VVB8~1.COM
.
**************************************************************************
.
Completion time: 2012-02-22 09:23:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-22 14:23
.
Pre-Run: 55,328,784,384 bytes free
Post-Run: 57,487,921,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9684B27D8AAF9D1E9829734F2E10B39D

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 22 February 2012 - 08:44 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic443261.html/page__pid__2607222#entry2607222

AtJob::

Collect::
c:\windows\system32\x5vVb8.com
C:\WINDOWS\System32\x5vVb8.com_
C:\Documents and Settings\Owner\Local Settings\Application Data\i2152v11p7d4sg8
C:\Documents and Settings\All Users\Application Data\i2152v11p7d4sg8
C:\Documents and Settings\Owner\Local Settings\Application Data\ycbh2647ydy7f
C:\Documents and Settings\All Users\Application Data\ycbh2647ydy7f
C:\Documents and Settings\Owner\Local Settings\Application Data\x5si1vjuiny5
C:\Documents and Settings\All Users\Application Data\x5si1vjuiny5
C:\Documents and Settings\All Users\Application Data\D8YguXdx.dat
c:\windows\system32\6to4.dll
c:\windows\system32\X5VVB8~1.COM

Folder::
c:\documents and settings\Owner\Application Data\Antivirus Protection

NetSvc::
GENERICDRV
6to4

Driver::
GENERICDRV
6to4

Rootkit::
c:\windows\system32\x5vVb8.com
C:\WINDOWS\System32\x5vVb8.com_
c:\windows\system32\X5VVB8~1.COM

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tcjvcrq5.default\
FF - prefs.js: network.proxy.http_port - 63717

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 23 February 2012 - 12:47 AM

Ran the script and Combofix. It ran all right, except now that my computer has rebooted I don't have an internet connection (it receives the signal but with "limited or no connectivity"). I will post the log tomorrow when I have access to a usb and another computer.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 23 February 2012 - 05:42 PM

one of the files needed to connect must have been patched, so let's see if we can find it and replace it, when you get the USB, please do the following:



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 andcuriouser

andcuriouser
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 23 February 2012 - 05:57 PM

Thanks for all the help.

Here is the FSS.txt log:

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 23-02-2012 at 17:53:31
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****



And the Combofix.txt from last night:

ComboFix 12-02-19.02 - Owner 02/22/2012 22:29:41.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.666 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Antivirus Protection
c:\documents and settings\Owner\Application Data\Antivirus Protection\IcoActivate.ico
c:\documents and settings\Owner\Application Data\Antivirus Protection\IcoHelp.ico
c:\documents and settings\Owner\Application Data\Antivirus Protection\IcoUninstall.ico
c:\windows\$NtUninstallKB9507$\2855702293\@
c:\windows\$NtUninstallKB9507$\2855702293\cfg.ini
c:\windows\$NtUninstallKB9507$\2855702293\Desktop.ini
c:\windows\$NtUninstallKB9507$\2855702293\L\anmabhgq
c:\windows\$NtUninstallKB9507$\2855702293\oemid
c:\windows\$NtUninstallKB9507$\2855702293\U\00000001.@
c:\windows\$NtUninstallKB9507$\2855702293\U\00000002.@
c:\windows\$NtUninstallKB9507$\2855702293\U\00000004.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000000.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000004.@
c:\windows\$NtUninstallKB9507$\2855702293\U\80000032.@
c:\windows\$NtUninstallKB9507$\2855702293\version
c:\windows\$NtUninstallKB9507$\3516766277
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GENERICDRV
-------\Service_GENERICDRV
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 03:23 . 2012-02-23 05:26 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{26C638A0-5AD7-43A5-8DB6-09B3F58F58EA}\offreg.dll
2012-02-23 03:21 . 2008-10-16 15:07 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-22 14:31 . 2012-02-08 06:03 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{26C638A0-5AD7-43A5-8DB6-09B3F58F58EA}\mpengine.dll
2012-02-20 02:02 . 2012-02-20 02:02 -------- d-----w- C:\_OTL
2012-02-19 09:18 . 2012-02-19 09:18 -------- d-----w- c:\program files\WinPcap
2012-02-19 04:55 . 2012-02-19 04:55 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-19 04:38 . 2012-02-19 04:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-19 04:27 . 2012-02-19 04:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-02-17 22:21 . 2012-02-19 04:48 -------- d-----w- C:\2d2a41a99847aed6f5aa7f24aeb2
2012-02-17 17:02 . 2012-02-22 17:02 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 18:02 . 2012-02-19 17:42 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-02-14 18:02 . 2012-02-19 17:42 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-02-14 18:02 . 2012-02-19 17:42 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2012-02-14 18:02 . 2012-02-14 18:02 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-01-28 05:39 . 2012-01-28 05:39 -------- d-----w- c:\program files\iPod
2012-01-28 05:38 . 2012-01-28 05:40 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-12-11 23:03 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 09:39 . 2011-11-21 17:27 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 20:24 . 2011-05-04 04:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-19 17:42 . 2012-02-14 18:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 12:00 . 11028C6A84A967070CB1286550F2058F . 5632 . . [2, 2, 0, 0] . . c:\windows\system32\6to4.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-02-22_14.18.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-23 03:28 . 2012-02-23 03:28 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2012-02-23 05:26 . 2012-02-23 05:26 16384 c:\windows\Temp\Perflib_Perfdata_6c8.dat
+ 2008-04-14 00:48 . 2008-04-14 05:48 52480 c:\windows\system32\drivers\i8042prt.sys
- 2008-04-14 00:48 . 2008-04-14 12:00 52480 c:\windows\system32\drivers\i8042prt.sys
+ 2008-04-14 00:48 . 2008-04-14 05:48 52480 c:\windows\system32\dllcache\i8042prt.sys
+ 2008-10-28 17:47 . 2012-02-23 03:23 384816 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-08 2768896]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\AOE2\\age2_exp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9100:TCP"= 9100:TCP:Advanced TCP/IP Printer Port
"427:TCP"= 427:TCP:Advanced TCP/IP SLP Port
"161:TCP"= 161:TCP:Advanced TCP/IP SNMP Port
.
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [10/28/2008 9:00 PM 4300]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [8/10/2010 4:35 AM 99896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/3/2011 11:39 PM 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 4:23 PM 35088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 5:29 PM 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 10:01 PM 30208]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/3/2011 11:39 PM 20464]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [10/28/2008 9:04 PM 238464]
S2 efAuditorService.exe;eFilm Audit Service;"c:\program files\Merge eFilm\eFilm\Auditor\efAuditorService.exe" --> c:\program files\Merge eFilm\eFilm\Auditor\efAuditorService.exe [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [9/10/2009 9:47 AM 28672]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/25/2009 6:48 PM 7680]
S3 SlsService;SlsService;"c:\program files\Merge eFilm\eFilm\SlsService.exe" --> c:\program files\Merge eFilm\eFilm\SlsService.exe [?]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [8/25/2009 6:51 PM 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [8/25/2009 6:50 PM 104960]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PCASp50
ikhlayer
ndasscsi
FileDisk
arc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-02-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.71.255.198
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tcjvcrq5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-02-23 00:30:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 05:30
ComboFix2.txt 2012-02-22 14:23
.
Pre-Run: 56,723,111,936 bytes free
Post-Run: 56,752,132,096 bytes free
.
- - End Of File - - ADBCDD020EE0F4B9FA382162A72BCBAB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users