Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess post-Combofix; no internet, missing driver


  • This topic is locked This topic is locked
2 replies to this topic

#1 Chippy569

Chippy569

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 19 June 2012 - 10:55 PM

Dell Dimension 4550 here. Got infected with the "Zeroaccess" virus -- Norton was not completely able to solve. Ran Combofix (log is below). Was following instructions here: http://www.2-viruses.com/remove-zeroaccess-rootkit

Using a PCI wireless adapter (iMicro T-PCI54M) and it can see my network, and I can authenticate to it, but it's giving me a IP address of 0.0.0.0 -- obviously not working. Under my router's connected users list, I see the computer's MAC address but no IP assigned to it, so this could just as well be a router-level issue (one that I don't understand).

CD drive driver is also not working -- drive is a LiteOn LTD163, under device status it gives me "Windows canot start this hardware device because its configuration informationn (in the registry) is incomplete or damaged (Code 19)" -- I have acquired the correct driver from Dell and installed it but to no effect.


[EDIT] I have run combofix a 2nd time and it again detected the presence of zeroaccess. I will post the second log as soon as it pops up.

ComboFix 12-06-19.03 - Bob 06/19/2012 21:49:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.577 [GMT -5:00]
Running from: d:\avtools\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\System
c:\documents and settings\Bob\System\win_qs8.jqx
c:\documents and settings\Bob\WINDOWS
c:\documents and settings\Jason Starry\WINDOWS
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 01:35 . 2012-06-20 01:35 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-06-20 01:34 . 2007-07-18 04:22 306688 ----a-w- c:\windows\system32\drivers\rtl8185.sys
2012-06-20 01:34 . 2012-06-20 01:35 -------- d-----w- c:\program files\iMicro
2012-06-20 01:34 . 2012-06-20 01:34 -------- d-----w- c:\windows\system32\iMicro Wireless Adapter Driver and Utility
2012-06-19 18:17 . 2012-06-19 18:17 -------- d-----w- C:\3a877ef3dc833ea4897415
2012-06-19 18:16 . 2012-06-19 18:16 -------- d-----w- C:\540d764c469e21897a079a6404
2012-06-19 00:33 . 2012-06-19 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2012-06-19 00:29 . 2012-06-19 00:29 -------- d-----w- c:\program files\GFI Software
2012-06-19 00:12 . 2012-06-19 02:24 -------- d-----w- C:\sh4ldr
2012-06-19 00:12 . 2012-06-19 00:12 -------- d-----w- c:\program files\Enigma Software Group
2012-06-19 00:11 . 2012-06-19 02:23 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 23:42 . 2012-06-18 23:42 -------- d-----w- c:\documents and settings\Bob\Application Data\DriverCure
2012-06-18 23:42 . 2012-06-18 23:42 -------- d-----w- c:\documents and settings\Bob\Application Data\SpeedyPC Software
2012-06-18 23:41 . 2012-06-19 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\program files\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\program files\Common Files\Software Update Utility
2012-06-17 16:32 . 2012-06-17 16:32 -------- d-----w- c:\documents and settings\Bob\Application Data\MSN6
2012-06-17 16:32 . 2012-06-17 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2012-06-17 02:11 . 2012-06-18 22:57 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\NPE
2012-06-16 20:52 . 2012-06-16 21:14 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-16 19:58 . 2012-06-16 19:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Tific
2012-06-14 01:20 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 01:30 . 2012-06-12 13:14 -------- d-----w- c:\windows\system32\drivers\N360\0502020.003
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 21:13 . 2012-04-13 13:53 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-05-31 13:22 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2005-10-21 20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-29 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-29 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-08 11:22 . 2012-05-08 04:22 94208 ----a-w- c:\windows\DUMP91b0.tmp
2012-05-04 13:12 . 2002-08-29 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2002-08-29 01:04 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-03-22 22:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-16 13:11 . 2012-04-16 13:11 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-16 13:11 . 2012-04-16 13:11 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-04 20:56 . 2012-04-13 14:12 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-13 8466432]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
iMicro Wireless Utility.lnk - c:\program files\iMicro\RtWlan.exe [2012-6-19 786432]
QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2011-4-13 118784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 5:59 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 5:59 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120531.001\BHDrvx86.sys [6/5/2012 7:30 PM 821880]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 5:59 AM 136312]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT [?]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 5:58 AM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.17.20\SymcPCCULaunchSvc.exe [4/15/2012 11:50 PM 135608]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2012 8:27 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120613.007\IDSXpx86.sys [6/13/2012 7:06 PM 356792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 3:11 PM 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [7/14/2010 11:06 AM 99248]
S2 SBAMSvc;VIPRE Internet Security;"c:\program files\GFI Software\VIPRE\SBAMSvc.exe" --> c:\program files\GFI Software\VIPRE\SBAMSvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 3:11 PM 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 8:53 AM 32072]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Bob\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Bob\LOCALS~1\Temp\mfe_rr.sys [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
umwdf
TdmService
websensepolicyserver
Cinemsup
LCcfltr
matlabserver
merakpop3
AR5523
lvcomser
CSDriver
atkdisplf
axinstsv
IPFilter
ssrtln
spupdsvc
mcmscsvc
SiRemFil
sp_clamsrv
mpfservice
USBDeviceService
asctrm
roxliveshare9
TryAndDecideService
emu10k1
HpqRemHid
GBDevice
ACDaemon
s217mdfl
pivotmou
lxrsii1s
pfc
cnmpar21
vncdrv
zdeviceservice
tavsvc
a8djavs
avg7rsxp
WINIO
VRcore
sysenforce
nv_agp
fsaua
tosrfbnp
avcgbdr
eamon
NTIDrvr
irbus
mfetdik
tfsnpool
centennialclientagent
sandradatasrv
epsonbidirectionalagent
mskservice
FireHook
wandrv
cxusb
dlpwd
ntsyslog
ageremodemaudio
oracleformsserver-forms60server-oraform
usrbridg
w810mdm
gemserv
EpmPsd
LwUsbHid
procdd
btdriver
zebrceb
tphkdrv
A4S2600
CTMSHD
WSIMD
USB28xxBGA
btserial
EPOWER
cpqnicmgmt
vzcdbsvc
RMCAST
Mtlstrm
SE27mdm
tpkmpsvc
vproeventmonitor
NETw3v32
L8042Kbd
msvad_simple
surveyor
us30sys
iirsp
firesvc
speakerphone
NxSysMon
sigfilt
agpcpq
AffinegyService
BVRPMPR5
DcLps
osanbm
pensup
OVT511Plus
blueletscoaudio
emproxy
ccevtmgr
cwcpsvc20
nbf
scanwscs
snare
int15.sys
enecbpth
pca
itchfltr
s3savagemx
odclientservice
NetwareWorkstation
A88xXBar
transbaseservice
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 20:11]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 20:11]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\d04p1xgy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Run-QBCD Autorun - D:\autorun.exe
Notify-TPSvc - TPSvc.dll
SafeBoot-03611488.sys
SafeBoot-06028033.sys
SafeBoot-12243525.sys
SafeBoot-29844322.sys
SafeBoot-30531833.sys
SafeBoot-43139087.sys
SafeBoot-43644514.sys
SafeBoot-51332704.sys
SafeBoot-52929359.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Aurora Bearing Co -Cad-Library (Aurora Bearing Co.) - c:\program files\Aurora Bearing Co.-Cad-Library\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-19 22:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll\" /prefetch:1"
.
Completion time: 2012-06-19 22:22:58
ComboFix-quarantined-files.txt 2012-06-20 03:22
.
Pre-Run: 23,162,904,576 bytes free
Post-Run: 23,707,697,152 bytes free
.
- - End Of File - - 65AE20CF5C13DBE9A8CA66B3F64A91B6















Second runing of combofix:

ComboFix 12-06-19.03 - Bob 06/19/2012 23:35:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.533 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 01:35 . 2012-06-20 01:35 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-06-20 01:34 . 2007-07-18 04:22 306688 ----a-w- c:\windows\system32\drivers\rtl8185.sys
2012-06-20 01:34 . 2012-06-20 01:35 -------- d-----w- c:\program files\iMicro
2012-06-20 01:34 . 2012-06-20 01:34 -------- d-----w- c:\windows\system32\iMicro Wireless Adapter Driver and Utility
2012-06-19 18:17 . 2012-06-19 18:17 -------- d-----w- C:\3a877ef3dc833ea4897415
2012-06-19 18:16 . 2012-06-19 18:16 -------- d-----w- C:\540d764c469e21897a079a6404
2012-06-19 00:33 . 2012-06-19 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2012-06-19 00:29 . 2012-06-19 00:29 -------- d-----w- c:\program files\GFI Software
2012-06-19 00:12 . 2012-06-19 02:24 -------- d-----w- C:\sh4ldr
2012-06-19 00:12 . 2012-06-19 00:12 -------- d-----w- c:\program files\Enigma Software Group
2012-06-19 00:11 . 2012-06-19 02:23 -------- d-----w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
2012-06-18 23:42 . 2012-06-18 23:42 -------- d-----w- c:\documents and settings\Bob\Application Data\DriverCure
2012-06-18 23:42 . 2012-06-18 23:42 -------- d-----w- c:\documents and settings\Bob\Application Data\SpeedyPC Software
2012-06-18 23:41 . 2012-06-19 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\program files\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Toolbar
2012-06-18 23:20 . 2012-06-18 23:20 -------- d-----w- c:\program files\Common Files\Software Update Utility
2012-06-17 16:32 . 2012-06-17 16:32 -------- d-----w- c:\documents and settings\Bob\Application Data\MSN6
2012-06-17 16:32 . 2012-06-17 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2012-06-17 02:11 . 2012-06-18 22:57 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\NPE
2012-06-16 20:52 . 2012-06-16 21:14 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-16 19:58 . 2012-06-16 19:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Tific
2012-06-14 01:20 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 01:30 . 2012-06-12 13:14 -------- d-----w- c:\windows\system32\drivers\N360\0502020.003
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-16 21:13 . 2012-04-13 13:53 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-05-31 13:22 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2005-10-21 20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-29 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-29 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-05-08 11:22 . 2012-05-08 04:22 94208 ----a-w- c:\windows\DUMP91b0.tmp
2012-05-04 13:12 . 2002-08-29 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2002-08-29 01:04 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-03-22 22:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-16 13:11 . 2012-04-16 13:11 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-16 13:11 . 2012-04-16 13:11 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-04 20:56 . 2012-04-13 14:12 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-20_03.14.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-20 04:33 . 2012-06-20 04:33 16384 c:\windows\Temp\Perflib_Perfdata_6c4.dat
+ 2012-06-20 04:31 . 2012-06-20 04:31 16384 c:\windows\Temp\Perflib_Perfdata_664.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-13 8466432]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
iMicro Wireless Utility.lnk - c:\program files\iMicro\RtWlan.exe [2012-6-19 786432]
QuickBooks Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2011-4-13 118784]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 5:59 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 5:59 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120531.001\BHDrvx86.sys [6/5/2012 7:30 PM 821880]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 5:59 AM 136312]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT [?]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 5:58 AM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.17.20\SymcPCCULaunchSvc.exe [4/15/2012 11:50 PM 135608]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2012 8:27 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120613.007\IDSXpx86.sys [6/13/2012 7:06 PM 356792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 3:11 PM 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [7/14/2010 11:06 AM 99248]
S2 SBAMSvc;VIPRE Internet Security;"c:\program files\GFI Software\VIPRE\SBAMSvc.exe" --> c:\program files\GFI Software\VIPRE\SBAMSvc.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 3:11 PM 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/13/2012 8:53 AM 32072]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\Bob\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\Bob\LOCALS~1\Temp\mfe_rr.sys [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT [?]
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
umwdf
TdmService
websensepolicyserver
Cinemsup
LCcfltr
matlabserver
merakpop3
AR5523
lvcomser
CSDriver
atkdisplf
axinstsv
IPFilter
ssrtln
spupdsvc
mcmscsvc
SiRemFil
sp_clamsrv
mpfservice
USBDeviceService
asctrm
roxliveshare9
TryAndDecideService
emu10k1
HpqRemHid
GBDevice
ACDaemon
s217mdfl
pivotmou
lxrsii1s
pfc
cnmpar21
vncdrv
zdeviceservice
tavsvc
a8djavs
avg7rsxp
WINIO
VRcore
sysenforce
nv_agp
fsaua
tosrfbnp
avcgbdr
eamon
NTIDrvr
irbus
mfetdik
tfsnpool
centennialclientagent
sandradatasrv
epsonbidirectionalagent
mskservice
FireHook
wandrv
cxusb
dlpwd
ntsyslog
ageremodemaudio
oracleformsserver-forms60server-oraform
usrbridg
w810mdm
gemserv
EpmPsd
LwUsbHid
procdd
btdriver
zebrceb
tphkdrv
A4S2600
CTMSHD
WSIMD
USB28xxBGA
btserial
EPOWER
cpqnicmgmt
vzcdbsvc
RMCAST
Mtlstrm
SE27mdm
tpkmpsvc
vproeventmonitor
NETw3v32
L8042Kbd
msvad_simple
surveyor
us30sys
iirsp
firesvc
speakerphone
NxSysMon
sigfilt
agpcpq
AffinegyService
BVRPMPR5
DcLps
osanbm
pensup
OVT511Plus
blueletscoaudio
emproxy
ccevtmgr
cwcpsvc20
nbf
scanwscs
snare
int15.sys
enecbpth
pca
itchfltr
s3savagemx
odclientservice
NetwareWorkstation
A88xXBar
transbaseservice
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 20:11]
.
2012-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 20:11]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\d04p1xgy.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-19 23:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll\" /prefetch:1"
.
Completion time: 2012-06-20 00:05:14
ComboFix-quarantined-files.txt 2012-06-20 05:05
ComboFix2.txt 2012-06-20 03:22
.
Pre-Run: 23,695,028,224 bytes free
Post-Run: 23,682,215,936 bytes free
.
- - End Of File - - 227449FDA74C0D7FD1B4755330B7E6AB

Edited by Chippy569, 20 June 2012 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:08 AM

Posted 23 June 2012 - 06:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:08 AM

Posted 28 June 2012 - 07:35 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users