Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected - search links redirecting, high cpu usage, slow computer


  • This topic is locked This topic is locked
37 replies to this topic

#1 lynnmarie

lynnmarie

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 21 February 2012 - 12:37 PM

hello,

I see others posting similar issues but I don't know what I have so sorry if this is not supposed to be a new topic.

running windows xp, mcafee virus scan plus, spybot s&d. since figuring out I have a problem, have installed ccleaner, & malwarebytes.

was getting popups from mcafee, isolated trojan, "no further action is required." ran complete scan, found no issues. ran full scan in spybot, only found tracking cookies. deleted. ran full scan ccleaner, it found only a couple of items, removed them. ran a malware bytes scan, found some things and removed them. still having problems.

at one point I noticed I had _ex-68.exe in process and killed it - it has not come back (unless it has changed names).

links redirect, open new windows, go to an advertisement or show nothing at all - both chrome and firefox. sometimes computer is so slow letters show up very slowly as I am typing. also sometimes getting the windows confirmation beep for no reason at all (the noise windows makes for example when you are trying to save over a file that already exists - it gives you that little "chime" and asks if you want to replace file).

windows crashed 3 times while I was scanning with gmer, was finally able to get a scan by disconnecting from the internet.

thank you for any help you can provide!!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 1:08:39 on 2012-02-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.911 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\program files\quicktime\QTTask.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111225023223.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\monitor.lnk - c:\program files\802.11g wireless lan\Monitor.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBC}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} - hxxp://simcity.ea.com/play/classic/SimCityX.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1_02-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{39BBAC5B-987E-418B-AD48-7B831F1EEBDF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BF5A74BF-5757-410B-B6AE-7997122EC061} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks pro\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\herehofe.dll
LSA: Notification Packages = scecli c:\windows\system32\herehofe.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\ijsr6xti.default\
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-5-3 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-16 89792]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-11-16 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-11-16 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-16 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-16 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-16 150856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-5-3 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-5-3 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-16 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-16 83856]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-10-17 20549]
S2 avgmfx86;CVPNDRVA;c:\windows\system32\svchost.exe -k netsvcs [2005-1-9 14336]
S2 savrtpel;Iomdisk;c:\windows\system32\svchost.exe -k netsvcs [2005-1-9 14336]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-16 57600]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-16 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-16 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-5-3 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-5-3 40552]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-2-15 50704]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2012-02-17 07:06:41 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-02-16 01:40:49 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-02-16 01:40:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-16 01:40:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 01:40:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 00:57:34 -------- d-----w- c:\program files\CCleaner
2012-02-15 14:00:59 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-02-15 14:00:59 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-02-15 14:00:59 100880 ----a-w- c:\windows\system32\Packet.dll
2012-02-15 04:29:58 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:28:28 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-15 04:28:28 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
.
============= FINISH: 1:10:33.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 21 February 2012 - 03:16 PM

additional info since I posted this topic:

today I got the audio message "congratulations, you've won!"

was also getting a popup: "do you want to make internet explorer your default browser?" - I do not use IE.

comp running slow, found additional processes running that were not running this morning. killed them all:

2 instances of iexplore.exe
3 or 4 instances of hki7266.exe
PKOP202X.com (yes, .com)
ytbb.exe
ToolbarSvr.exe

thanks

Edited by lynnmarie, 21 February 2012 - 03:18 PM.


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 21 February 2012 - 04:03 PM

Hello lynnmarie,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 21 February 2012 - 07:22 PM

hi fireman4it, thank you very much for your quick reply. I have followed your instructions and have posted the files below. a couple of things:

1) I needed to install the recovery console. while I did NOT click inside the combofix box, it stalled out at the end. it said that it was rebooting, and warned me against rebooting manually. well it sat at that screen for 45 minutes with no disk spinning, so I pushed the off button. I knew there could be implications but I didn't know what else to do - it was doing nothing. so I shut it off and turned it back on. combofix rebooted it and created the report.

2) I think it deleted some drivers, my cordless mouse isn't working now so I had to get this corded relic out of the closet. also, on boot-up I got a pop-up from Intel Audio Studio that said "Sonic Focus drivers must be installed for this application to work." I don't know what other drivers may have been deleted.

3) Combofix said I was infected with Rootkit.Zero.Access! and it has installed itself into the tcp/ip stack. yes I'm sure that's not good.

4) unfortunately I am still being redirected in both firefox and chrome. I don't use IE so I don't know what's going on with that one.

5) EDIT: as soon as I posted this now I am noticing all of the same things in my task manager processes that I wrote about earlier.

thanks again for your help, here are the 2 files you requested:

TDSSKILLER:


17:32:31.0921 3408 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
17:32:32.0609 3408 ============================================================
17:32:32.0609 3408 Current date / time: 2012/02/21 17:32:32.0609
17:32:32.0609 3408 SystemInfo:
17:32:32.0609 3408
17:32:32.0609 3408 OS Version: 5.1.2600 ServicePack: 2.0
17:32:32.0609 3408 Product type: Workstation
17:32:32.0609 3408 ComputerName: LYNN
17:32:32.0609 3408 UserName: Owner
17:32:32.0609 3408 Windows directory: C:\WINDOWS
17:32:32.0609 3408 System windows directory: C:\WINDOWS
17:32:32.0609 3408 Processor architecture: Intel x86
17:32:32.0609 3408 Number of processors: 2
17:32:32.0609 3408 Page size: 0x1000
17:32:32.0609 3408 Boot type: Normal boot
17:32:32.0609 3408 ============================================================
17:32:33.0703 3408 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:32:33.0828 3408 \Device\Harddisk0\DR0:
17:32:33.0843 3408 MBR used
17:32:33.0843 3408 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x8D7101, BlocksNum 0x1C8ED480
17:32:33.0843 3408 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x8D70C2
17:32:33.0875 3408 Initialize success
17:32:33.0875 3408 ============================================================
17:32:40.0500 4016 ============================================================
17:32:40.0500 4016 Scan started
17:32:40.0500 4016 Mode: Manual;
17:32:40.0500 4016 ============================================================
17:32:43.0906 4016 Abiosdsk - ok
17:32:44.0031 4016 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:32:44.0046 4016 abp480n5 - ok
17:32:44.0140 4016 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:32:44.0156 4016 ACPI - ok
17:32:44.0187 4016 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:32:44.0187 4016 ACPIEC - ok
17:32:44.0218 4016 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:32:44.0234 4016 adpu160m - ok
17:32:44.0296 4016 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
17:32:44.0296 4016 aec - ok
17:32:44.0359 4016 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
17:32:44.0359 4016 AFD - ok
17:32:44.0375 4016 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:32:44.0375 4016 agp440 - ok
17:32:44.0390 4016 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:32:44.0390 4016 agpCPQ - ok
17:32:44.0406 4016 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:32:44.0421 4016 Aha154x - ok
17:32:44.0484 4016 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:32:44.0484 4016 aic78u2 - ok
17:32:44.0500 4016 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:32:44.0500 4016 aic78xx - ok
17:32:44.0515 4016 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:32:44.0515 4016 AliIde - ok
17:32:44.0531 4016 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:32:44.0531 4016 alim1541 - ok
17:32:44.0546 4016 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:32:44.0562 4016 amdagp - ok
17:32:44.0578 4016 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:32:44.0578 4016 amsint - ok
17:32:44.0609 4016 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:32:44.0609 4016 Arp1394 - ok
17:32:44.0656 4016 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:32:44.0656 4016 asc - ok
17:32:44.0671 4016 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:32:44.0671 4016 asc3350p - ok
17:32:44.0687 4016 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:32:44.0687 4016 asc3550 - ok
17:32:44.0734 4016 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:32:44.0734 4016 AsyncMac - ok
17:32:44.0765 4016 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:32:44.0781 4016 atapi - ok
17:32:44.0781 4016 Atdisk - ok
17:32:44.0796 4016 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:32:44.0812 4016 Atmarpc - ok
17:32:44.0828 4016 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:32:44.0843 4016 audstub - ok
17:32:44.0859 4016 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:32:44.0859 4016 Beep - ok
17:32:44.0953 4016 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:32:44.0968 4016 cbidf - ok
17:32:44.0984 4016 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:32:44.0984 4016 cbidf2k - ok
17:32:45.0031 4016 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:32:45.0046 4016 cd20xrnt - ok
17:32:45.0093 4016 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:32:45.0109 4016 Cdaudio - ok
17:32:45.0187 4016 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
17:32:45.0187 4016 Cdfs - ok
17:32:45.0250 4016 Cdr4_xp (837eef65af62d4e8a37c41d3879f7274) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
17:32:45.0265 4016 Cdr4_xp - ok
17:32:45.0265 4016 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
17:32:45.0281 4016 Cdralw2k - ok
17:32:45.0296 4016 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:32:45.0296 4016 Cdrom - ok
17:32:45.0328 4016 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
17:32:45.0328 4016 cfwids - ok
17:32:45.0343 4016 Changer - ok
17:32:45.0359 4016 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:32:45.0359 4016 CmdIde - ok
17:32:45.0390 4016 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:32:45.0390 4016 Cpqarray - ok
17:32:45.0421 4016 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:32:45.0421 4016 dac2w2k - ok
17:32:45.0453 4016 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:32:45.0453 4016 dac960nt - ok
17:32:45.0468 4016 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
17:32:45.0468 4016 Disk - ok
17:32:45.0578 4016 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
17:32:45.0609 4016 dmboot - ok
17:32:45.0609 4016 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
17:32:45.0625 4016 dmio - ok
17:32:45.0625 4016 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:32:45.0625 4016 dmload - ok
17:32:45.0687 4016 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
17:32:45.0687 4016 DMusic - ok
17:32:45.0703 4016 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:32:45.0703 4016 dpti2o - ok
17:32:45.0734 4016 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
17:32:45.0734 4016 drmkaud - ok
17:32:45.0781 4016 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:32:45.0781 4016 E100B - ok
17:32:45.0828 4016 ELacpi (e52410e837218e5906011a7aac4ea418) C:\WINDOWS\system32\DRIVERS\ELacpi.sys
17:32:45.0828 4016 ELacpi - ok
17:32:45.0859 4016 ELhid (596f37fd4ab0b1066ecc0925b2c8cbc0) C:\WINDOWS\system32\DRIVERS\ELhid.sys
17:32:45.0859 4016 ELhid - ok
17:32:45.0875 4016 ELkbd (3757f0d8f51fd196870d6935958fc896) C:\WINDOWS\system32\DRIVERS\ELkbd.sys
17:32:45.0875 4016 ELkbd - ok
17:32:45.0906 4016 ELmon (b502658f4d12485ffa3be699d9b695f8) C:\WINDOWS\system32\DRIVERS\ELmon.sys
17:32:45.0906 4016 ELmon - ok
17:32:45.0921 4016 ELmou (fc2838e2ad11c7aa9c8d6607d1a3a476) C:\WINDOWS\system32\DRIVERS\ELmou.sys
17:32:45.0921 4016 ELmou - ok
17:32:45.0984 4016 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
17:32:45.0984 4016 Fastfat - ok
17:32:46.0015 4016 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:32:46.0015 4016 Fdc - ok
17:32:46.0031 4016 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
17:32:46.0031 4016 Fips - ok
17:32:46.0062 4016 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:32:46.0062 4016 Flpydisk - ok
17:32:46.0078 4016 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:32:46.0078 4016 FltMgr - ok
17:32:46.0093 4016 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:32:46.0109 4016 Fs_Rec - ok
17:32:46.0109 4016 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:32:46.0125 4016 Ftdisk - ok
17:32:46.0171 4016 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:32:46.0171 4016 Gpc - ok
17:32:46.0265 4016 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:32:46.0265 4016 HDAudBus - ok
17:32:46.0328 4016 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:32:46.0359 4016 HidUsb - ok
17:32:46.0390 4016 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:32:46.0406 4016 hpn - ok
17:32:46.0468 4016 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
17:32:46.0484 4016 HSFHWBS2 - ok
17:32:46.0593 4016 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
17:32:46.0828 4016 HSF_DPV - ok
17:32:46.0984 4016 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
17:32:46.0984 4016 HTTP - ok
17:32:47.0031 4016 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:32:47.0062 4016 i2omgmt - ok
17:32:47.0125 4016 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:32:47.0140 4016 i2omp - ok
17:32:47.0218 4016 i8042prt (7acaecb182bfd7d63dcd6efa93588e76) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:32:47.0218 4016 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 7acaecb182bfd7d63dcd6efa93588e76, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
17:32:47.0218 4016 i8042prt ( Virus.Win32.ZAccess.k ) - infected
17:32:47.0218 4016 i8042prt - detected Virus.Win32.ZAccess.k (0)
17:32:47.0375 4016 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:32:47.0578 4016 ialm - ok
17:32:47.0718 4016 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
17:32:47.0718 4016 iaStor - ok
17:32:47.0750 4016 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:32:47.0765 4016 Imapi - ok
17:32:47.0796 4016 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:32:47.0796 4016 ini910u - ok
17:32:47.0812 4016 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:32:47.0828 4016 IntelIde - ok
17:32:47.0859 4016 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:32:47.0859 4016 intelppm - ok
17:32:47.0890 4016 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:32:47.0906 4016 Ip6Fw - ok
17:32:47.0937 4016 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:32:47.0937 4016 IpFilterDriver - ok
17:32:47.0968 4016 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:32:47.0968 4016 IpInIp - ok
17:32:47.0984 4016 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:32:48.0000 4016 IpNat - ok
17:32:48.0015 4016 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:32:48.0015 4016 IPSec - ok
17:32:48.0031 4016 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:32:48.0031 4016 IRENUM - ok
17:32:48.0078 4016 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:32:48.0109 4016 isapnp - ok
17:32:48.0187 4016 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:32:48.0187 4016 Kbdclass - ok
17:32:48.0250 4016 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
17:32:48.0265 4016 kmixer - ok
17:32:48.0296 4016 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
17:32:48.0296 4016 KSecDD - ok
17:32:48.0312 4016 lbrtfdc - ok
17:32:48.0421 4016 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:32:48.0421 4016 mdmxsdk - ok
17:32:48.0515 4016 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
17:32:48.0515 4016 mfeapfk - ok
17:32:48.0640 4016 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
17:32:48.0640 4016 mfeavfk - ok
17:32:48.0656 4016 mfeavfk01 - ok
17:32:48.0703 4016 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
17:32:48.0703 4016 mfebopk - ok
17:32:48.0828 4016 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
17:32:48.0828 4016 mfefirek - ok
17:32:48.0984 4016 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
17:32:49.0031 4016 mfehidk - ok
17:32:49.0140 4016 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
17:32:49.0140 4016 mfendisk - ok
17:32:49.0140 4016 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
17:32:49.0140 4016 mfendiskmp - ok
17:32:49.0187 4016 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
17:32:49.0203 4016 mferkdet - ok
17:32:49.0234 4016 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
17:32:49.0234 4016 mferkdk - ok
17:32:49.0281 4016 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
17:32:49.0281 4016 mfesmfk - ok
17:32:49.0328 4016 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
17:32:49.0343 4016 mfetdi2k - ok
17:32:49.0359 4016 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
17:32:49.0375 4016 MHNDRV - ok
17:32:49.0390 4016 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:32:49.0390 4016 mnmdd - ok
17:32:49.0421 4016 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
17:32:49.0421 4016 Modem - ok
17:32:49.0437 4016 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:32:49.0437 4016 Mouclass - ok
17:32:49.0500 4016 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:32:49.0500 4016 mouhid - ok
17:32:49.0531 4016 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
17:32:49.0531 4016 MountMgr - ok
17:32:49.0578 4016 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys
17:32:49.0578 4016 MPFP - ok
17:32:49.0625 4016 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:32:49.0640 4016 mraid35x - ok
17:32:49.0828 4016 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
17:32:49.0859 4016 MREMP50 - ok
17:32:49.0921 4016 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
17:32:49.0921 4016 MRESP50 - ok
17:32:50.0062 4016 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:32:50.0093 4016 MRxDAV - ok
17:32:50.0234 4016 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:32:50.0250 4016 MRxSmb - ok
17:32:50.0328 4016 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
17:32:50.0328 4016 Msfs - ok
17:32:50.0359 4016 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:32:50.0359 4016 MSKSSRV - ok
17:32:50.0390 4016 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:32:50.0390 4016 MSPCLOCK - ok
17:32:50.0406 4016 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
17:32:50.0406 4016 MSPQM - ok
17:32:50.0453 4016 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:32:50.0468 4016 mssmbios - ok
17:32:50.0515 4016 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
17:32:50.0546 4016 Mup - ok
17:32:50.0578 4016 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
17:32:50.0578 4016 mxnic - ok
17:32:50.0656 4016 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
17:32:50.0671 4016 MXOPSWD - ok
17:32:50.0703 4016 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
17:32:50.0718 4016 NDIS - ok
17:32:50.0750 4016 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:32:50.0750 4016 NdisTapi - ok
17:32:50.0765 4016 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:32:50.0765 4016 Ndisuio - ok
17:32:50.0781 4016 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:32:50.0781 4016 NdisWan - ok
17:32:50.0828 4016 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
17:32:50.0843 4016 NDProxy - ok
17:32:50.0859 4016 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:32:50.0859 4016 NetBIOS - ok
17:32:50.0890 4016 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:32:50.0890 4016 NetBT - ok
17:32:50.0937 4016 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:32:50.0953 4016 NIC1394 - ok
17:32:51.0000 4016 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
17:32:51.0000 4016 NPF - ok
17:32:51.0015 4016 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
17:32:51.0015 4016 Npfs - ok
17:32:51.0031 4016 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
17:32:51.0046 4016 Ntfs - ok
17:32:51.0093 4016 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:32:51.0125 4016 Null - ok
17:32:51.0593 4016 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:32:51.0734 4016 nv - ok
17:32:52.0093 4016 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:32:52.0093 4016 NwlnkFlt - ok
17:32:52.0187 4016 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:32:52.0187 4016 NwlnkFwd - ok
17:32:52.0343 4016 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:32:52.0359 4016 ohci1394 - ok
17:32:52.0421 4016 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
17:32:52.0421 4016 P3 - ok
17:32:52.0453 4016 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
17:32:52.0453 4016 Parport - ok
17:32:52.0468 4016 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
17:32:52.0468 4016 PartMgr - ok
17:32:52.0500 4016 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:32:52.0500 4016 ParVdm - ok
17:32:52.0515 4016 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
17:32:52.0531 4016 PCI - ok
17:32:52.0531 4016 PCIDump - ok
17:32:52.0546 4016 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:32:52.0546 4016 PCIIde - ok
17:32:52.0625 4016 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:32:52.0625 4016 Pcmcia - ok
17:32:52.0656 4016 PDCOMP - ok
17:32:52.0656 4016 PDFRAME - ok
17:32:52.0671 4016 PDRELI - ok
17:32:52.0687 4016 PDRFRAME - ok
17:32:52.0703 4016 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:32:52.0703 4016 perc2 - ok
17:32:52.0734 4016 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:32:52.0734 4016 perc2hib - ok
17:32:52.0828 4016 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:32:52.0843 4016 PptpMiniport - ok
17:32:52.0875 4016 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
17:32:52.0890 4016 PSched - ok
17:32:52.0937 4016 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:32:52.0953 4016 Ptilink - ok
17:32:53.0000 4016 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:32:53.0000 4016 PxHelp20 - ok
17:32:53.0015 4016 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:32:53.0015 4016 ql1080 - ok
17:32:53.0031 4016 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:32:53.0031 4016 Ql10wnt - ok
17:32:53.0046 4016 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:32:53.0046 4016 ql12160 - ok
17:32:53.0062 4016 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:32:53.0062 4016 ql1240 - ok
17:32:53.0078 4016 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:32:53.0078 4016 ql1280 - ok
17:32:53.0109 4016 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:32:53.0109 4016 RasAcd - ok
17:32:53.0140 4016 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:32:53.0140 4016 Rasl2tp - ok
17:32:53.0156 4016 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:32:53.0156 4016 RasPppoe - ok
17:32:53.0187 4016 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:32:53.0203 4016 Raspti - ok
17:32:53.0296 4016 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:32:53.0312 4016 Rdbss - ok
17:32:53.0359 4016 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:32:53.0359 4016 RDPCDD - ok
17:32:53.0390 4016 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:32:53.0406 4016 rdpdr - ok
17:32:53.0453 4016 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
17:32:53.0468 4016 RDPWD - ok
17:32:53.0500 4016 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:32:53.0515 4016 redbook - ok
17:32:53.0562 4016 rt2500usb (4d075a4ecf49376042dbbfd8572d1bf5) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
17:32:53.0562 4016 rt2500usb - ok
17:32:53.0625 4016 Secdrv (314a998b1732c1acd6b6459ec9961ad8) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:32:53.0640 4016 Secdrv - ok
17:32:53.0656 4016 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:32:53.0656 4016 Serenum - ok
17:32:53.0687 4016 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
17:32:53.0687 4016 Serial - ok
17:32:53.0703 4016 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:32:53.0703 4016 Sfloppy - ok
17:32:53.0750 4016 sfng32 (3ce805e0e752f1febd52ac4899f5febf) C:\WINDOWS\system32\drivers\sfng32.sys
17:32:53.0750 4016 sfng32 - ok
17:32:53.0765 4016 Simbad - ok
17:32:53.0781 4016 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:32:53.0796 4016 sisagp - ok
17:32:53.0812 4016 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:32:53.0812 4016 Sparrow - ok
17:32:53.0843 4016 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
17:32:53.0843 4016 splitter - ok
17:32:53.0875 4016 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
17:32:53.0875 4016 sr - ok
17:32:53.0921 4016 Srv (553007ecce7f6565bbe645beb66d3b69) C:\WINDOWS\system32\DRIVERS\srv.sys
17:32:53.0937 4016 Srv - ok
17:32:54.0062 4016 STHDA (ad7f9e184a75c5024707c5a41097f781) C:\WINDOWS\system32\drivers\sthda.sys
17:32:54.0078 4016 STHDA - ok
17:32:54.0125 4016 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:32:54.0125 4016 swenum - ok
17:32:54.0140 4016 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
17:32:54.0140 4016 swmidi - ok
17:32:54.0171 4016 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:32:54.0171 4016 symc810 - ok
17:32:54.0187 4016 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:32:54.0187 4016 symc8xx - ok
17:32:54.0203 4016 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:32:54.0203 4016 sym_hi - ok
17:32:54.0218 4016 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:32:54.0218 4016 sym_u3 - ok
17:32:54.0234 4016 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
17:32:54.0250 4016 sysaudio - ok
17:32:54.0343 4016 Tcpip (0e66b538096a6529d1ac66e78eb0d5c8) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:32:54.0359 4016 Tcpip - ok
17:32:54.0390 4016 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:32:54.0390 4016 TDPIPE - ok
17:32:54.0406 4016 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
17:32:54.0406 4016 TDTCP - ok
17:32:54.0437 4016 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:32:54.0437 4016 TermDD - ok
17:32:54.0500 4016 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:32:54.0531 4016 TosIde - ok
17:32:54.0578 4016 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
17:32:54.0609 4016 Udfs - ok
17:32:54.0640 4016 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:32:54.0656 4016 ultra - ok
17:32:54.0703 4016 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
17:32:54.0703 4016 Update - ok
17:32:54.0765 4016 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:32:54.0781 4016 usbccgp - ok
17:32:54.0812 4016 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:32:54.0843 4016 usbehci - ok
17:32:54.0875 4016 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:32:54.0875 4016 usbhub - ok
17:32:54.0968 4016 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:32:54.0984 4016 usbprint - ok
17:32:55.0015 4016 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:32:55.0015 4016 usbscan - ok
17:32:55.0062 4016 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:32:55.0078 4016 usbstor - ok
17:32:55.0187 4016 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:32:55.0187 4016 usbuhci - ok
17:32:55.0281 4016 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
17:32:55.0296 4016 VgaSave - ok
17:32:55.0343 4016 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:32:55.0359 4016 viaagp - ok
17:32:55.0390 4016 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:32:55.0406 4016 ViaIde - ok
17:32:55.0468 4016 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
17:32:55.0468 4016 VolSnap - ok
17:32:55.0531 4016 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:32:55.0531 4016 Wanarp - ok
17:32:55.0593 4016 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
17:32:55.0593 4016 wanatw - ok
17:32:55.0609 4016 WDICA - ok
17:32:55.0640 4016 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
17:32:55.0640 4016 wdmaud - ok
17:32:55.0750 4016 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:32:55.0781 4016 winachsf - ok
17:32:55.0859 4016 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0
17:32:55.0921 4016 \Device\Harddisk0\DR0 - ok
17:32:55.0937 4016 Boot (0x1200) (33fb2fde48337376cb18650b09bcc09f) \Device\Harddisk0\DR0\Partition0
17:32:55.0937 4016 \Device\Harddisk0\DR0\Partition0 - ok
17:32:55.0953 4016 Boot (0x1200) (70a9e03f415b687a0525b32af6811cdc) \Device\Harddisk0\DR0\Partition1
17:32:55.0953 4016 \Device\Harddisk0\DR0\Partition1 - ok
17:32:55.0953 4016 ============================================================
17:32:55.0953 4016 Scan finished
17:32:55.0953 4016 ============================================================
17:32:55.0968 2584 Detected object count: 1
17:32:55.0968 2584 Actual detected object count: 1
17:35:02.0093 2584 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - copied to quarantine
17:35:03.0765 2584 Backup copy found, using it..
17:35:03.0765 2584 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured on reboot
17:35:06.0640 2584 i8042prt ( Virus.Win32.ZAccess.k ) - User select action: Cure
17:35:14.0531 2904 Deinitialize success

COMBOFIX:


ComboFix 12-02-21.02 - Owner 02/21/2012 17:55:53.1.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB9094$\1731303245
c:\windows\$NtUninstallKB9094$\3280265218\@
c:\windows\$NtUninstallKB9094$\3280265218\cfg.ini
c:\windows\$NtUninstallKB9094$\3280265218\Desktop.ini
c:\windows\$NtUninstallKB9094$\3280265218\L\mzayzxgd
c:\windows\$NtUninstallKB9094$\3280265218\U\00000001.@
c:\windows\$NtUninstallKB9094$\3280265218\U\00000002.@
c:\windows\$NtUninstallKB9094$\3280265218\U\00000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000000.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000032.@
c:\windows\$NtUninstallKB9094$\3280265218\version
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\Temp
c:\windows\system32\Temp\aawfhriejlcmbvbhxjui.list
c:\windows\system32\wpcap.dll
c:\windows\Update.bat
c:\windows\wallpg.exe
D:\Autorun.inf
.
c:\windows\system32\drivers\redbook.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 23:34 . 2004-08-04 04:14 52736 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-02-21 23:34 . 2004-08-04 04:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-21 22:35 . 2012-02-21 22:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.jpi_cache
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.java
2012-02-21 22:19 . 2012-02-21 19:51 84146 ----a-w- c:\windows\system32\PKOP202X.com
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ATTYToolbar
2012-02-21 19:54 . 2012-02-21 19:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2012-02-17 07:06 . 2003-02-20 21:42 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-02-16 03:31 . 2012-02-16 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-16 03:18 . 2012-02-16 23:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 01:40 . 2012-02-21 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 01:40 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 00:57 . 2012-02-16 00:57 -------- d-----w- c:\program files\CCleaner
2012-02-15 04:29 . 2012-02-21 22:38 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:28 . 2012-02-15 04:28 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 05:50 . 2012-02-15 06:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-11-16 19:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"QuickTime Task"="c:\program files\quicktime\QTTask.exe" [2011-07-05 421888]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-7-20 897024]
PowerReg Scheduler V3.exe [2007-4-25 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-08 14:08 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Games\\Age of Wonders II\\AoW2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Games\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/16/2010 2:46 PM 89792]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 7:32 PM 20549]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/16/2010 2:46 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/16/2010 2:46 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/16/2010 2:46 PM 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/16/2010 2:46 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/16/2010 2:46 PM 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/16/2010 2:46 PM 87656]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE2Cmdfl
lxdm_device
pxfhmdfl
midisyn
savrtpel
backupexecdevicemediaservice
DS1410D
iAimTV5
DM9102
rt73
F700isw
suservice
cxlpt
sdbus
vpcvmm
U3sHlpDr
btnhnd
pivot
tfsnopio
mxssvr
avgmfx86
rbfilter
oracleorahome92pagingserver
ixiaendpoint
ctaud2k
roammgr
wlancfg
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\At1.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At10.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At11.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At12.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At13.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At14.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At15.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At16.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At17.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At18.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At19.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At2.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At20.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At21.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At22.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At23.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At24.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At25.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At26.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At27.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At28.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At29.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At3.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At30.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At31.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At32.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At33.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At34.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At35.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At36.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At37.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At38.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At39.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At4.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At40.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At41.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At42.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At43.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At44.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At45.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At46.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At47.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At48.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At5.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At6.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At7.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At8.job
- c:\windows\system32\PKOP202X.com_ [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\At9.job
- c:\windows\system32\PKOP202X.com [2012-02-21 19:51]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ijsr6xti.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-SigmatelSysTrayApp - sttray.exe
SafeBoot-91861517.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-21 18:34
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB9094$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2012-02-21 18:39:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-21 23:39
.
Pre-Run: 165,782,401,024 bytes free
Post-Run: 165,935,833,088 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 8CCB4B00D3C93BE92858E6ADE2A51539

Edited by lynnmarie, 21 February 2012 - 07:25 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 22 February 2012 - 06:33 PM

Hello,

at one point I noticed I had _ex-68.exe in process and killed it

This is probably Windows updates.

We still have an infected file that we may not be able to replace

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\PKOP202X.com
c:\windows\system32\PKOP202X.com_

Notice the difference in the files.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local

Domains::

ClearJavaCache::

AtJob::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


3.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    redbook.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Things to include in your next reply::
Jotti Results
Combofix.txt
Systemlook.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 22 February 2012 - 11:44 PM

hello fireman4it,

I am typing from a friends computer, so not really any good news.

I ran the jotti scan and will post the info at the end.

then I ran combofix - problems. first, it had to shut down windows at the beginning of the scan because it detected the presence of root kit activity. then upon reboot, my virus scan started back up so I am not sure if it interfered with the combofix. but it ran the scan and I got a report. however, it also disabled my corded mouse that I had to put on last night, and it also disabled my keyboard! so I cannot type anything! I tried to install a driver but windows would not do it. also, upon viewing all of the devices, my keyboard and other things have the yellow exclamation mark:

1) Intel 82945G Express chipset family (one of my processors?),
2) both dvd and cd drives,
3) keyboard

I tried to install a driver for the keyboard, but I get the message "windows cannot load the device driver for this hardware. the driver may be corrupted or missing" I tried with my gateway recovery disk to get a driver but it won't get it from there, and I cannot even search the internet for a driver because I cannot type!

but it should be noted - at one point, I started in recovery mode, and could type "exit", so the keyboard will work - just not with windows loaded - I wonder if the mouse and keyboard PORTS are the problem?

I was able to plug my cordless mouse into a different usb port and it worked, but I am running out of holes to plug these things into, and my keyboard is not usb. So untill I get these ports back I don't think I can run combofix again, otherwise I may be able to do nothing. I cannot post the combofix report at this time because I am typing by hand, and could not write it all down. I have written down the results of the jotti scan:

JOTTI SCAN RESULTS:

PKOP202X.com:

Weds 22 FEB 2012 22:50:28
Filename: hki1039.exe
Status: scan finished, 4 out of 20 scanners reported malware.

these are the names of the 4 reported malware:
1) TR/Crypt.ZPACK.Gen
2) Trojan.Downloader5.48236
3) Mal/Autorun-AS
4) Win32/TrojanClicker.Agent.NEB

PKOP202X.com_:

Thurs 23 FEB 2012 01:40:52
Filename: hki1039.exe
Status: scan finished, 4 out of 20 scanners reported malware.

these are the names of the 4 reported malware (same as above):
1) TR/Crypt.ZPACK.Gen
2) Trojan.Downloader5.48236
3) Mal/Autorun-AS
4) Win32/TrojanClicker.Agent.NEB

interesting the different times of the scans when I did them one right after the other, but that is what the reports said.

anyways, thank you for the help! it's looking kind of dim with the port/driver problem but let me know what I can do to stop these drivers/ports from disappearing and what can be done next..

Edited by lynnmarie, 22 February 2012 - 11:45 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 23 February 2012 - 12:13 AM

Hello,

I need to see the Combofix report so I can see if it deleted any legit files. I think what else may be a bad HArddrive or ZeroAccess has just done to much damage.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Mode > Advanced Mode.
    Posted Image
  • You may be presented with a warning dialog. If so, click Yes
  • Click on Tools and then Resident
    Posted Image
  • Uncheck this checkbox: "Resident TeaTimer {protection of over-all system settings) active"
  • Close/Exit Spybot Search and Destroy

2.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.


3.
You may have corrupt critical system files. Let's see if we can fix that.

1. Select [Start
2. Select Run
  • Type in sfc /scannow in the command window and press enter.
  • Note the space between the c and the /
  • If any files require replacing SFC will replace them. You may be asked to insert your Windows XP Disc for this process to continue. This can be done with a borrowed Disc if you don't have one.
  • Be patient because the scan may take some time.
  • Allow the scan to run and when completed, reboot the system.


4.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 23 February 2012 - 10:50 AM

hi fireman4it,

I am pasting the combo fix log. keyboard is still not working, typing from elsewhere. coupla things:

1) I tried to check harddisk for errors. I got this message: "The disk check could not be performed because the disk check utility needs exclusive access to some windows files on the disk. These files can be accessed only by restarting windows" so I agreed to have it scan upon restart. restarted, and got the message "windows cannot open the volume for direct access, finished checking disk" but it clearly did not do a disk check.

2) both my cd and dvd roms are not working now, so I cannot use an xp disk at the moment.

3) thanks for your help!

I am borrowing a usb keyboard today, hopefully it will work and I can do the system look.

one thing to note: I think the virus is gone. I am not getting redirected or pop up windows. although, since I can't type I cannot do a search to see if it redirects, but I clicked around on some links this morning and it's working fine. also I am not getting a bunch of weird processes popping up running cpu at 100% or fans going crazy. here is the combofix:



ComboFix 12-02-21.02 - Owner 02/22/2012 20:05:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1541 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB9094$\2736560990
c:\windows\$NtUninstallKB9094$\3280265218\@
c:\windows\$NtUninstallKB9094$\3280265218\cfg.ini
c:\windows\$NtUninstallKB9094$\3280265218\Desktop.ini
c:\windows\$NtUninstallKB9094$\3280265218\L\mzayzxgd
c:\windows\$NtUninstallKB9094$\3280265218\oemid
c:\windows\$NtUninstallKB9094$\3280265218\U\00000001.@
c:\windows\$NtUninstallKB9094$\3280265218\U\00000002.@
c:\windows\$NtUninstallKB9094$\3280265218\U\00000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000000.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U\80000032.@
c:\windows\$NtUninstallKB9094$\3280265218\version
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 00:59 . 2004-08-10 19:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-22 05:19 . 2012-02-21 19:51 84146 ----a-w- c:\windows\system32\PKOP202X.com
2012-02-21 23:34 . 2004-08-04 04:14 52736 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-02-21 22:35 . 2012-02-21 22:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.jpi_cache
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.java
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ATTYToolbar
2012-02-21 19:54 . 2012-02-21 19:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2012-02-17 07:06 . 2003-02-20 21:42 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-02-16 03:31 . 2012-02-16 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-16 03:18 . 2012-02-16 23:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 01:40 . 2012-02-21 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 01:40 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 00:57 . 2012-02-16 00:57 -------- d-----w- c:\program files\CCleaner
2012-02-15 04:29 . 2012-02-23 00:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:28 . 2012-02-15 04:28 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 05:50 . 2012-02-15 06:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-11-16 19:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-21_23.34.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-10 01:17 . 2012-02-22 01:23 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-01-10 01:17 . 2012-02-21 14:14 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-01-10 01:17 . 2012-02-22 01:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-10 01:17 . 2012-02-21 14:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-02-22 01:23 . 2012-02-22 01:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-10 01:17 . 2012-02-21 14:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"QuickTime Task"="c:\program files\quicktime\QTTask.exe" [2011-07-05 421888]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-7-20 897024]
PowerReg Scheduler V3.exe [2007-4-25 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-08 14:08 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Games\\Age of Wonders II\\AoW2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Games\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/16/2010 2:46 PM 89792]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 7:32 PM 20549]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/16/2010 2:46 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/16/2010 2:46 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/16/2010 2:46 PM 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/16/2010 2:46 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/16/2010 2:46 PM 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/16/2010 2:46 PM 87656]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE2Cmdfl
lxdm_device
pxfhmdfl
midisyn
savrtpel
backupexecdevicemediaservice
DS1410D
iAimTV5
DM9102
rt73
F700isw
suservice
cxlpt
sdbus
vpcvmm
U3sHlpDr
btnhnd
pivot
tfsnopio
mxssvr
avgmfx86
rbfilter
oracleorahome92pagingserver
ixiaendpoint
ctaud2k
roammgr
wlancfg
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: mswsock.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ijsr6xti.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-22 20:24
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB9094$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\McAfee\Core\mchost.exe
.
**************************************************************************
.
Completion time: 2012-02-22 20:29:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 01:29
ComboFix2.txt 2012-02-21 23:39
.
Pre-Run: 165,407,789,056 bytes free
Post-Run: 165,842,915,328 bytes free
.
- - End Of File - - A9F0D95581A26BAAD19B2F6CF272B310

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 23 February 2012 - 04:00 PM

Hello,

Combofix did not delete any Drivers needed for any of your devices. ZeroAccess sometimes can be a nasty infection in which the only fix is to reformat and reinstall the operating system. PLease do the following then tell me how your machine is running.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

Files::
c:\windows\system32\PKOP202X.com
c:\windows\system32\PKOP202X.com_

SecCenter::
* Resident AV is active


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


3.
Please download Listparts
Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

4.
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Things to include in your next reply::
Combofix.txt
Results.txt
FSS.txt
MBAM log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 23 February 2012 - 09:26 PM

hi fireman4it,

my keyboard is working again! unfortunately the mouse port is still not working, using a usb slot for now. as I was typing this mcaffee popped up and said it isolated the trojan artemis.... dang will it ever go away? here are all the scan results:

EDIT: meant to add that I did some searches tonite and did not get redirected with the results, that issue seems to be corrected.

systemlook:

SystemLook 30.07.11 by jpshortstuff
Log created at 19:47 on 23/02/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.sys"
No files found.

-= EOF =-


ComboFix:

ComboFix 12-02-21.02 - Owner 02/23/2012 20:25:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1638 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB9094$\3280265218\@
c:\windows\$NtUninstallKB9094$\3280265218\cfg.ini
c:\windows\$NtUninstallKB9094$\3280265218\L(2)\mzayzxgd
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\00000001.@
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\00000002.@
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\00000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\80000000.@
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\80000004.@
c:\windows\$NtUninstallKB9094$\3280265218\U(2)\80000032.@
c:\windows\$NtUninstallKB9094$\3280265218\version
c:\windows\$NtUninstallKB9094$\3441698516
.
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\system32\dllcache\i8042prt.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 01:36 . 2004-08-04 04:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-23 23:29 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-02-23 23:29 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-23 23:29 . 2004-08-04 03:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-02-23 23:29 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-02-23 02:32 . 2012-02-23 02:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-23 00:59 . 2004-08-10 19:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-22 05:19 . 2012-02-21 19:51 84146 ----a-w- c:\windows\system32\PKOP202X.com
2012-02-21 23:34 . 2004-08-04 04:14 52736 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-02-21 22:35 . 2012-02-21 22:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.jpi_cache
2012-02-21 22:34 . 2012-02-21 22:34 -------- d-----w- c:\documents and settings\NetworkService\.java
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-02-21 19:55 . 2012-02-21 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ATTYToolbar
2012-02-21 19:54 . 2012-02-21 19:54 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2012-02-17 07:06 . 2003-02-20 21:42 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2012-02-16 03:31 . 2012-02-16 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-16 03:18 . 2012-02-16 23:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-16 01:40 . 2012-02-16 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-16 00:57 . 2012-02-16 00:57 -------- d-----w- c:\program files\CCleaner
2012-02-15 04:29 . 2012-02-23 00:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 05:50 . 2012-02-15 06:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2010-11-16 19:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SigmatelSysTrayApp"="sttray.exe" [BU]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"QuickTime Task"="c:\program files\quicktime\QTTask.exe" [2011-07-05 421888]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-7-20 897024]
PowerReg Scheduler V3.exe [2007-4-25 225280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 110592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-08 14:08 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Games\\Age of Wonders II\\AoW2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Games\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/16/2010 2:46 PM 89792]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/16/2010 2:46 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/16/2010 2:46 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/16/2010 2:46 PM 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/16/2010 2:46 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/17/2010 7:32 PM 20549]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/16/2010 2:46 PM 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/16/2010 2:46 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/16/2010 2:46 PM 87656]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
SE2Cmdfl
lxdm_device
pxfhmdfl
midisyn
savrtpel
backupexecdevicemediaservice
DS1410D
iAimTV5
DM9102
rt73
F700isw
suservice
cxlpt
sdbus
vpcvmm
U3sHlpDr
btnhnd
pivot
tfsnopio
mxssvr
avgmfx86
rbfilter
oracleorahome92pagingserver
ixiaendpoint
ctaud2k
roammgr
wlancfg
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4118426621-930993679-4286917034-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-16 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ijsr6xti.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 20:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB9094$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1060)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
.
- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************
.
Completion time: 2012-02-23 20:46:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 01:46
ComboFix2.txt 2012-02-23 01:29
ComboFix3.txt 2012-02-21 23:39
.
Pre-Run: 165,638,926,336 bytes free
Post-Run: 165,737,984,000 bytes free
.
- - End Of File - - D0A9DEE1FD8FA9C220735D2ED74BA0D7

Malwarebytes:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.23.05

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: LYNN [administrator]

2/23/2012 8:53:18 PM
mbam-log-2012-02-23 (20-53-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196570
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\winachsx.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\winachsx.dll (RootKit.0Access.H) -> Delete on reboot.

(end)

ListParts:

ListParts by Farbar
Ran by Owner on 23-02-2012 at 21:07:28
Windows XP (X86)
Running From: C:\Documents and Settings\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 2037.41 MB
Available physical RAM: 1575.89 MB
Total Pagefile: 4936.67 MB
Available Pagefile: 4602.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.16 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:228.46 GB) (Free:154.37 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (RECOVERY) (Fixed) (Total:4.41 GB) (Free:1.35 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 4526 MB 32 KB
Partition 2 Primary 228 GB 4526 MB

Disk: 0
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D RECOVERY FAT32 Partition 4526 MB Healthy

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 228 GB Healthy System (partition with boot components)


****** End Of Log ******

Farbar:

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 23-02-2012 at 21:09:56
Running from "C:\Documents and Settings\Owner\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2012-02-22 19:59] - [2004-08-10 14:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2005-01-09 18:48] - [2005-03-13 19:55] - 0359808 ____A (Microsoft Corporation) 0E66B538096A6529D1AC66E78EB0D5C8

C:\WINDOWS\system32\Drivers\ipsec.sys
[2005-01-09 18:48] - [2004-08-10 14:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2005-01-09 18:47] - [2004-08-10 14:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll
[2005-01-09 18:48] - [2004-08-10 14:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2005-01-09 18:48] - [2005-08-22 13:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2005-01-09 20:05] - [2004-08-10 14:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2005-01-09 20:09] - [2004-08-10 14:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2005-01-09 20:09] - [2004-08-10 14:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2005-01-09 18:48] - [2004-08-10 14:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2005-01-09 20:05] - [2004-08-10 14:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\svchost.exe
[2005-01-09 18:48] - [2004-08-10 14:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2005-01-09 18:48] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2005-01-09 18:48] - [2004-08-10 14:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(8) MPFP(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Edited by lynnmarie, 23 February 2012 - 09:31 PM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 23 February 2012 - 11:15 PM

Hello,

1.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


2.
Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

3.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Things to include in your next reply::
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 24 February 2012 - 03:50 PM

hi fireman4it,

I have included the results of the eset scan below.

I have updated windows, notes on that:

I started by trying to install sp3. it shut down in the process, saying it had encountered an error and needed to close. so then I installed all of the individual updates, went back to the site repeatedly until I had no high priority updates left. after I had installed them all, I decided to try sp3 again. it got about 1/3 of the way thru and encountered a problem and needed to close. it encountered the problem at the point where it was backing up the registry entries.

I have uninstalled the old java and installed the new one.

scan results below.

ESET Scan:

C:\Documents and Settings\Owner\My Documents\flash for install\Flash MX\keygen.exe a variant of Win32/Keygen.CY application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\Lynn's Graphic Program B'ups\MS Office 2003 Professional (Word, Excel, Powerpoint, Ac (1).iso probably a variant of Win32/Hupigon.DHMBFEX trojan deleted - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0001034.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002045.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002063.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002076.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002086.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002097.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002112.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002128.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0002145.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0003145.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0004197.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\A0005212.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP2\A0005399.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP2\A0008405.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\21.02.2012_17.32.32\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.JM trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\PKOP202X.com Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\PKOP202X.com_ Win32/TrojanClicker.Agent.NEB trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\serial.sys a variant of Win32/Sirefef.DA trojan unable to clean
Operating memory Win32/Sirefef.DN trojan

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 24 February 2012 - 11:57 PM

Hello,


We need to have a file checked.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\drivers\serial.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 lynnmarie

lynnmarie
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 25 February 2012 - 01:32 AM

wow that file is messed up. scan results:

Jotti's malware scan
Filename: serial.sys
Status:
Scan finished. 14 out of 20 scanners reported malware.
Scan taken on: Sat 25 Feb 2012 07:28:58 (CET) Permalink

here are the found names:

2012-02-25 Zaccess.Btl

2012-02-24 Win32:Malware-gen

2012-02-24 Gen:Variant.Sirefef.22

2012-02-24 PSW.Agent.ASTO

2012-02-25 Gen:Variant.Sirefef.22

2012-02-24 TR/Drop.Sirefef.B.244

2012-02-25 Trojan-Dropper.Win32.Sirefef

2012-02-25 Gen:Variant.Sirefef.22

2012-02-25 Virus.Win32.ZAccess.c

2012-02-25 BackDoor.Maxplus.69

2012-02-25 Trojan-Dropper.Win32.Sirefef!IK

2012-02-24 Backdoor.ZAccess.btl

2012-02-24 Win32/Sirefef.DA

2012-02-24 Trojan.Sirefef!POKkgPqieaM

END

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:31 PM

Posted 25 February 2012 - 03:14 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    serial.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users