Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help - Trojan/Zero Access keeps coming back


  • This topic is locked This topic is locked
23 replies to this topic

#1 sumone

sumone

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 28 June 2012 - 09:55 PM

I've had malware before and tried the same fixes and more but nothing works...I went to a website and all of a sudden windows media player started and that's when the issues began. Here is a list of symptoms on my Dell/Windows XP system:

- Cannot visit certain websites like microsoft, mcafee, etc
- Launching control panel triggers the trojan. IE did as well until I uninstalled version 8 and reverted to 7 and now the issue above seems to be resolved (unless I use control panel)
- Now when I launch windows media player it fails with a message that says version 9.0.0.4503 was expected instead of 9.0.0.3250
- Cannot run System File Checker at all (even safe mode)

I tried combofix, avira, eset, gmer, tdsskiller and they all detected and cleaned some offending files but they keep coming back!! I would really like to fix this in a way that lets me keep all my files!

Thanks

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 29 June 2012 - 06:10 PM

Hi,

Please do the following:



Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well


NEXT

For 32bit systems please download Listparts

Run the tool,
check the "list BCD" box
click "Scan" and post the log (Result.txt) it makes.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 June 2012 - 01:55 AM

Hi - here are the dds and listparts logs. When I ran aswMBR, I got a BSOD when it was almost done scanning windows/system32. A few minutes before, Avira warned of a file xt1awbkd in this directory and flagged it as BDS/Azbreg.ajf. This file keeps showing up in a bunch of different directories on my system even after I delete them all. I also keep getting a ton of Infector/Gen8 warnings on random files. After turning the power off and restarting, XP ran an automatic chkdsk. I'll try aswMBR again, but wanted to post the other logs in the meantime in case I crash again.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by AD at 0:27:24 on 2012-06-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1472 [GMT -4:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTHelper] CTHELPER.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\natura~1.lnk - c:\program files\sec\natural color\NaturalColorLoad.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} - hxxps://mydesk-hq01.morganstanley.com/prx/000/http/rc.ms.com:8180/md/1.2/common/htdocs/SPX/2.3.0.10/TerminalSvcsTCS.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{B34E1F2A-B3FE-4995-9434-294903B30B68} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-17 130936]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-6-27 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-6-27 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-6-27 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-6-27 74640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-20 652360]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-20 20464]
S0 AVGIDSEH;AVGIDSEH; [x]
S0 cneda;cneda;c:\windows\system32\drivers\sunpmb.sys --> c:\windows\system32\drivers\sunpmb.sys [?]
S0 indxek;indxek;c:\windows\system32\drivers\rwrlu.sys --> c:\windows\system32\drivers\rwrlu.sys [?]
S3 Avgfwdx;Avgfwdx; [x]
S3 Avgfwfd;AVG network filter service; [x]
S3 BlackBox;BlackBox SR2; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2012-2-26 254976]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-29 40776]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-17 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-17 1097096]
.
=============== Created Last 30 ================
.
2012-06-30 04:13:51 16384 ----a-w- c:\program files\windows media player\pidgen.dll
2012-06-30 04:13:42 52224 -c--a-w- c:\windows\system32\dllcache\mspmsnsv.dll
2012-06-30 04:13:42 52224 ----a-w- c:\windows\system32\mspmsnsv.dll
2012-06-30 04:13:42 27136 -c--a-w- c:\windows\system32\dllcache\wmdmlog.dll
2012-06-30 04:13:42 27136 ----a-w- c:\windows\system32\wmdmlog.dll
2012-06-30 04:13:42 23552 -c--a-w- c:\windows\system32\dllcache\wmdmps.dll
2012-06-30 04:13:42 23552 ----a-w- c:\windows\system32\wmdmps.dll
2012-06-30 04:13:42 159232 -c--a-w- c:\windows\system32\dllcache\CEWMDM.dll
2012-06-30 04:13:42 159232 ----a-w- c:\windows\system32\CEWMDM.dll
2012-06-30 04:13:41 245760 -c--a-w- c:\windows\system32\dllcache\mswmdm.dll
2012-06-30 04:13:41 245760 ----a-w- c:\windows\system32\mswmdm.dll
2012-06-29 23:19:59 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-29 20:05:51 -------- d-sh--w- C:\found.000
2012-06-29 01:47:28 13951112 ----a-w- c:\program files\windows media player\installer\wmp9xp.exe
2012-06-28 23:33:06 -------- d-----w- c:\program files\ESET
2012-06-27 22:55:55 -------- d-----w- c:\documents and settings\ad\application data\Avira
2012-06-27 22:40:06 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-27 22:40:06 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-27 22:40:03 -------- d-----w- c:\program files\Avira
2012-06-27 22:40:03 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-06-27 11:48:56 -------- d-----w- C:\ComboFix3
2012-06-27 11:26:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-25 23:17:41 98816 ----a-w- c:\windows\sed.exe
2012-06-25 23:17:41 518144 ----a-w- c:\windows\SWREG.exe
2012-06-25 23:17:41 256000 ----a-w- c:\windows\PEV.exe
2012-06-25 23:17:41 208896 ----a-w- c:\windows\MBR.exe
2012-06-25 04:05:32 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-06-25 04:05:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-17 03:48:56 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M ====================
.
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-07 15:11:19 512 ----a-w- C:\drmHeader.bin
.
============= FINISH: 0:31:10.95 ===============



ListParts by Farbar Version: 23-06-2012
Ran by AD (administrator) on 30-06-2012 at 02:41:08
Windows XP (X86)
Running From: C:\Documents and Settings\AD\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 2047 MB
Available physical RAM: 1577.28 MB
Total Pagefile: 4966.48 MB
Available Pagefile: 4560.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 2004.03 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:232.82 GB) (Free:1.32 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (SC2-L100-D1) (CDROM) (Total:6.99 GB) (Free:0 GB) UDF

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 233 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 30 June 2012 - 08:48 AM

Hi,

Delete the copy of ComboFix that you have on your desktop and download a fresh copy, make sure your security programs are disabled then run it, post the resulting log which will be located at C:\combofix.txt

your older log(s) will be located at c:\qoobox\combofix2.txt, if you could zip up the older log(s) and attach them, thanks)

Link 1

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 June 2012 - 10:00 AM

I disabled Real Time Protection in Avira but Combofix still says it detects it as active. Is this ok or is there something else I can do without completely uninstalling?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 30 June 2012 - 10:16 AM

as long as it's disabled, you should be OK, continue on

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 June 2012 - 11:41 AM

Here is the log:

ComboFix 12-06-28.03 - AD 06/30/2012 11:51:51.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1616 [GMT -4:00]
Running from: c:\documents and settings\AD\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\AD\BWzrHb3
c:\documents and settings\AD\Local Settings\Application Data\cbexqndw.log
c:\documents and settings\AD\Local Settings\Application Data\drilmkhw.log
c:\documents and settings\AD\Local Settings\Application Data\hkyssgtr.log
c:\documents and settings\AD\Local Settings\Application Data\oqcykdln.log
c:\documents and settings\AD\Local Settings\Application Data\qjvvwcpq.log
c:\documents and settings\AD\Local Settings\Application Data\stjqfllk\babgpoub.exe
c:\documents and settings\AD\Local Settings\Application Data\uxllclpo.log
c:\documents and settings\AD\Xt1awBKD
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 )))))))))))))))))))))))))))))))
.
.
2012-06-30 10:46 . 2012-06-30 10:46 -------- d-----w- C:\found.001
2012-06-30 04:13 . 2002-11-08 23:02 16384 ----a-w- c:\program files\Windows Media Player\pidgen.dll
2012-06-30 04:13 . 2002-11-26 23:03 52224 -c--a-w- c:\windows\system32\dllcache\mspmsnsv.dll
2012-06-30 04:13 . 2002-11-26 23:03 52224 ----a-w- c:\windows\system32\mspmsnsv.dll
2012-06-30 04:13 . 2002-11-26 23:03 27136 -c--a-w- c:\windows\system32\dllcache\wmdmlog.dll
2012-06-30 04:13 . 2002-11-26 23:03 27136 ----a-w- c:\windows\system32\wmdmlog.dll
2012-06-30 04:13 . 2002-11-26 23:03 23552 -c--a-w- c:\windows\system32\dllcache\wmdmps.dll
2012-06-30 04:13 . 2002-11-26 23:03 23552 ----a-w- c:\windows\system32\wmdmps.dll
2012-06-30 04:13 . 2002-11-26 23:03 159232 -c--a-w- c:\windows\system32\dllcache\CEWMDM.dll
2012-06-30 04:13 . 2002-11-26 23:03 159232 ----a-w- c:\windows\system32\CEWMDM.dll
2012-06-30 04:13 . 2002-11-26 23:03 245760 -c--a-w- c:\windows\system32\dllcache\mswmdm.dll
2012-06-30 04:13 . 2002-11-26 23:03 245760 ----a-w- c:\windows\system32\mswmdm.dll
2012-06-29 23:19 . 2012-06-29 23:19 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-29 20:05 . 2012-06-29 20:05 -------- d-----w- C:\found.000
2012-06-29 01:47 . 2012-06-29 01:39 13951112 ----a-w- c:\program files\Windows Media Player\Installer\wmp9xp.exe
2012-06-28 23:33 . 2012-06-28 23:33 -------- d-----w- c:\program files\ESET
2012-06-28 01:41 . 2012-06-28 01:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-06-27 22:55 . 2012-06-27 22:55 -------- d-----w- c:\documents and settings\AD\Application Data\Avira
2012-06-27 22:40 . 2012-01-31 12:57 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-27 22:40 . 2012-01-31 12:57 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-27 22:40 . 2011-09-16 20:09 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-27 22:40 . 2012-06-27 22:40 -------- d-----w- c:\program files\Avira
2012-06-27 22:40 . 2012-06-27 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-06-27 11:26 . 2012-06-27 11:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-25 04:05 . 2012-06-25 04:05 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-17 03:48 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 19:19 . 2007-05-23 17:39 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2007-05-23 17:39 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2006-07-15 05:15 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2006-07-15 05:15 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2006-07-15 05:15 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-05-23 17:39 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2006-07-15 05:15 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2006-07-15 04:40 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2005-05-26 08:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2003-07-16 20:25 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-05-23 17:39 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2006-07-15 05:15 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2006-07-15 04:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2003-03-20 20:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 13:20 . 2003-07-16 20:51 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-04 13:16 . 2003-07-16 20:39 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2002-08-29 01:04 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-07-15 04:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 00:12 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\ERDNT\cache\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtServicePackUninstall$\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot_2012-06-26_12.02.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-20 03:03 . 2011-02-20 03:03 51024 c:\windows\system32\vcomp100.dll
+ 2003-07-16 20:41 . 2011-06-21 18:45 44544 c:\windows\system32\pngfilt.dll
+ 2003-07-16 20:35 . 2007-08-13 22:01 48128 c:\windows\system32\mshtmler.dll
- 2003-07-16 20:35 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll
- 2003-07-16 20:35 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe
+ 2003-07-16 20:35 . 2007-08-13 22:32 45568 c:\windows\system32\mshta.exe
+ 2007-08-13 22:36 . 2007-08-13 22:36 12288 c:\windows\system32\msfeedssync.exe
+ 2007-08-13 22:54 . 2011-06-21 18:45 52224 c:\windows\system32\msfeedsbs.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 81744 c:\windows\system32\mfcm100u.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 81744 c:\windows\system32\mfcm100.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 60752 c:\windows\system32\mfc100rus.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 43344 c:\windows\system32\mfc100kor.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 43856 c:\windows\system32\mfc100jpn.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 62288 c:\windows\system32\mfc100ita.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 64336 c:\windows\system32\mfc100fra.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 63824 c:\windows\system32\mfc100esn.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 55120 c:\windows\system32\mfc100enu.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 64336 c:\windows\system32\mfc100deu.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 36176 c:\windows\system32\mfc100cht.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 36176 c:\windows\system32\mfc100chs.dll
+ 2003-07-16 20:32 . 2007-08-13 22:44 40960 c:\windows\system32\licmgr10.dll
+ 2003-07-16 20:31 . 2011-06-21 18:45 27648 c:\windows\system32\jsproxy.dll
+ 2003-07-16 20:30 . 2007-08-13 22:39 92672 c:\windows\system32\inseng.dll
+ 2003-07-16 20:30 . 2007-08-13 22:36 36352 c:\windows\system32\imgutil.dll
+ 2003-07-16 20:30 . 2007-08-13 22:39 55296 c:\windows\system32\iesetup.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 44544 c:\windows\system32\iernonce.dll
+ 2011-09-17 17:17 . 2011-06-21 18:45 78336 c:\windows\system32\ieencode.dll
+ 2003-07-16 20:30 . 2011-06-21 11:46 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 22:36 . 2011-06-21 18:45 63488 c:\windows\system32\icardie.dll
+ 2012-06-27 22:40 . 2010-06-17 18:27 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-07-15 04:41 . 2003-07-16 20:52 25088 c:\windows\system32\dllcache\wisc10.dll
+ 2006-07-15 04:41 . 2003-07-16 20:48 40960 c:\windows\system32\dllcache\trialoc.dll
+ 2006-07-15 00:35 . 2003-07-16 20:46 77824 c:\windows\system32\dllcache\spcommon.dll
+ 2006-07-15 00:35 . 2003-07-16 20:43 36864 c:\windows\system32\dllcache\sapisvr.exe
+ 2003-07-16 20:41 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-07-15 04:41 . 2003-07-16 20:36 39936 c:\windows\system32\dllcache\msinfo32.exe
- 2003-07-16 20:35 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2003-07-16 20:35 . 2007-08-13 22:01 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2003-07-16 20:35 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2003-07-16 20:35 . 2007-08-13 22:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-07-04 06:58 . 2011-06-21 18:45 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2003-07-16 20:32 . 2007-08-13 22:44 40960 c:\windows\system32\dllcache\licmgr10.dll
+ 2003-07-16 20:31 . 2011-06-21 18:45 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-07-15 04:41 . 2003-07-16 20:30 16384 c:\windows\system32\dllcache\isignup.exe
+ 2003-07-16 20:30 . 2007-08-13 22:39 92672 c:\windows\system32\dllcache\inseng.dll
+ 2003-07-16 20:30 . 2007-08-13 22:36 36352 c:\windows\system32\dllcache\imgutil.dll
+ 2003-07-16 20:30 . 2007-08-13 22:39 55296 c:\windows\system32\dllcache\iesetup.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 07:56 . 2011-06-21 18:45 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2003-07-16 20:30 . 2011-06-21 11:46 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-07-15 04:41 . 2003-07-16 20:30 73728 c:\windows\system32\dllcache\icwtutor.exe
+ 2009-07-04 06:58 . 2011-06-21 18:45 63488 c:\windows\system32\dllcache\icardie.dll
+ 2006-07-15 04:40 . 2003-07-16 20:29 13312 c:\windows\system32\dllcache\htrn_jis.dll
+ 2006-07-15 04:40 . 2007-08-13 22:18 60416 c:\windows\system32\dllcache\hmmapi.dll
+ 2003-07-16 20:25 . 2011-06-21 18:45 17408 c:\windows\system32\dllcache\corpol.dll
+ 2003-07-16 20:23 . 2007-08-13 22:39 71680 c:\windows\system32\dllcache\admparse.dll
+ 2003-07-16 20:25 . 2011-06-21 18:45 17408 c:\windows\system32\corpol.dll
- 2006-07-15 04:45 . 2011-06-13 11:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-07-15 04:45 . 2012-06-29 02:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-06-28 01:40 . 2012-06-29 02:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-07-16 20:23 . 2007-08-13 22:39 71680 c:\windows\system32\admparse.dll
+ 2012-02-11 03:11 . 2012-02-11 03:11 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_353617fa\SYSTEM~1.DLL
+ 2012-02-11 03:11 . 2012-02-11 03:11 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_bfc6bdff\CUSTOM~1.DLL
+ 2006-04-28 14:58 . 2011-06-21 18:45 832512 c:\windows\system32\wininet.dll
+ 2007-08-13 22:45 . 2007-08-13 22:45 206336 c:\windows\system32\winfxdocobj.exe
+ 2003-07-16 20:51 . 2011-06-21 18:45 233472 c:\windows\system32\webcheck.dll
+ 2003-07-16 20:49 . 2011-03-04 06:45 434176 c:\windows\system32\vbscript.dll
+ 2003-07-16 20:49 . 2011-06-21 18:45 106496 c:\windows\system32\url.dll
+ 2003-07-16 20:40 . 2011-06-21 18:45 102912 c:\windows\system32\occache.dll
+ 2011-02-19 04:40 . 2011-02-19 04:40 773968 c:\windows\system32\msvcr100.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 421200 c:\windows\system32\msvcp100.dll
+ 2003-07-16 20:36 . 2011-06-21 18:45 671232 c:\windows\system32\mstime.dll
+ 2003-07-16 20:36 . 2011-06-21 18:45 193024 c:\windows\system32\msrating.dll
- 2003-07-16 20:36 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll
+ 2003-07-16 20:36 . 2007-08-13 22:54 156160 c:\windows\system32\msls31.dll
+ 2003-07-16 20:35 . 2011-06-21 18:45 478720 c:\windows\system32\mshtmled.dll
+ 2007-08-13 22:54 . 2011-06-21 18:45 468480 c:\windows\system32\msfeeds.dll
+ 2006-05-18 05:58 . 2011-03-04 06:45 512000 c:\windows\system32\jscript.dll
+ 2007-08-13 22:54 . 2007-08-13 22:54 180736 c:\windows\system32\ieui.dll
+ 2007-08-13 22:34 . 2011-06-21 18:45 268288 c:\windows\system32\iertutil.dll
+ 2006-02-24 19:24 . 2011-06-21 18:45 192512 c:\windows\system32\iepeers.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 384512 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 16:27 . 2011-06-21 18:45 380928 c:\windows\system32\ieapfltr.dll
+ 2003-07-16 20:30 . 2011-06-20 11:27 161792 c:\windows\system32\ieakui.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 230400 c:\windows\system32\ieaksie.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 153088 c:\windows\system32\ieakeng.dll
+ 2006-02-24 19:24 . 2011-06-21 18:45 214528 c:\windows\system32\dxtrans.dll
+ 2006-04-28 14:57 . 2011-06-21 18:45 347136 c:\windows\system32\dxtmsft.dll
+ 2006-04-28 14:58 . 2011-06-21 18:45 832512 c:\windows\system32\dllcache\wininet.dll
+ 2003-07-16 20:51 . 2011-06-21 18:45 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-07-15 04:41 . 2011-04-30 08:50 766464 c:\windows\system32\dllcache\vgx.dll
+ 2003-07-16 20:49 . 2011-03-04 06:45 434176 c:\windows\system32\dllcache\vbscript.dll
+ 2003-07-16 20:49 . 2011-06-21 18:45 106496 c:\windows\system32\dllcache\url.dll
+ 2006-07-15 00:35 . 2003-07-16 20:46 774144 c:\windows\system32\dllcache\spttseng.dll
+ 2003-07-16 20:40 . 2011-06-21 18:45 102912 c:\windows\system32\dllcache\occache.dll
+ 2003-07-16 20:36 . 2011-06-21 18:45 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-07-15 04:41 . 2003-07-16 20:36 235520 c:\windows\system32\dllcache\mssoap1.dll
+ 2003-07-16 20:36 . 2011-06-21 18:45 193024 c:\windows\system32\dllcache\msrating.dll
+ 2003-07-16 20:36 . 2007-08-13 22:54 156160 c:\windows\system32\dllcache\msls31.dll
- 2003-07-16 20:36 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2003-07-16 20:35 . 2011-06-21 18:45 478720 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-07-04 06:58 . 2011-06-21 18:45 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-05-18 05:58 . 2011-03-04 06:45 512000 c:\windows\system32\dllcache\jscript.dll
+ 2006-07-15 04:40 . 2011-06-20 11:29 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2009-07-04 06:58 . 2011-06-21 18:45 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-02-24 19:24 . 2011-06-21 18:45 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-07-04 06:58 . 2011-06-21 18:45 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2003-07-16 20:30 . 2011-06-20 11:27 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2003-07-16 20:30 . 2011-06-21 18:45 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-02-24 19:24 . 2011-06-21 18:45 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-04-28 14:57 . 2011-06-21 18:45 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2003-07-16 20:23 . 2011-06-21 18:45 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-07-15 04:45 . 2012-06-29 02:50 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-07-15 04:45 . 2011-06-13 11:31 245760 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-06-28 01:41 . 2012-06-28 01:36 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-02-20 03:03 . 2011-02-20 03:03 138056 c:\windows\system32\atl100.dll
+ 2003-07-16 20:23 . 2011-06-21 18:45 124928 c:\windows\system32\advpack.dll
+ 2012-06-27 22:38 . 2012-06-27 22:38 160768 c:\windows\Installer\18a334.msi
+ 2011-09-17 17:17 . 2006-09-06 21:43 213216 c:\windows\ie7\spuninst\spuninst.exe
+ 2006-05-08 14:50 . 2011-06-21 18:45 1168896 c:\windows\system32\urlmon.dll
+ 2006-05-19 19:52 . 2011-07-22 16:35 3613696 c:\windows\system32\mshtml.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 4422992 c:\windows\system32\mfc100u.dll
+ 2011-02-20 03:03 . 2011-02-20 03:03 4397384 c:\windows\system32\mfc100.dll
+ 2007-08-13 22:54 . 2011-06-21 18:45 6076416 c:\windows\system32\ieframe.dll
+ 2007-02-12 20:10 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
+ 2006-05-08 14:50 . 2011-06-21 18:45 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-19 19:52 . 2011-07-22 16:35 3613696 c:\windows\system32\dllcache\mshtml.dll
+ 2009-07-04 06:58 . 2011-06-21 18:45 6076416 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-04 06:58 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 237568]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 225280]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 598016]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2006-12-27 155715]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!Antivirus"=2 (0x2)
"E334157B"=3 (0x3)
"avgwd"=2 (0x2)
"avgfws"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2009 7:26 PM 130936]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [6/27/2012 6:40 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2012 6:40 PM 86224]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/20/2012 10:33 AM 652360]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 4:11 PM 73728]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 9:39 PM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 9:39 PM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 9:39 PM 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/20/2012 10:33 AM 20464]
S0 AVGIDSEH;AVGIDSEH; [x]
S0 cneda;cneda;c:\windows\system32\drivers\sunpmb.sys --> c:\windows\system32\drivers\sunpmb.sys [?]
S0 indxek;indxek;c:\windows\system32\drivers\rwrlu.sys --> c:\windows\system32\drivers\rwrlu.sys [?]
S3 Avgfwdx;Avgfwdx; [x]
S3 Avgfwfd;AVG network filter service; [x]
S3 BlackBox;BlackBox SR2; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 9:39 PM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/26/2012 1:32 PM 254976]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 9:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 9:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 9:39 PM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 9:39 PM 566360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/29/2012 7:19 PM 40776]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/17/2009 7:26 PM 348752]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/12/2008 12:29 PM 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-30 12:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-152049171-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,4a,a1,f7,db,4d,a5,4f,c1,a3,48,a9,07,aa,d2,cc,13,e2,f3,0f,64,e0,68,
20,62,47,c5,95,f0,52,b0,79,8c,70,fc,c6,bc,ef,9f,43,6a,1a,05,30,34,32,75,07,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-06-30 12:30:01
ComboFix-quarantined-files.txt 2012-06-30 16:29
ComboFix2.txt 2012-06-26 12:17
ComboFix3.txt 2012-06-26 02:58
ComboFix4.txt 2012-06-26 01:33
ComboFix5.txt 2012-06-26 23:28
.
Pre-Run: 1,383,337,984 bytes free
Post-Run: 1,721,180,160 bytes free
.
- - End Of File - - 836F5922F9891EC464596345A66293BE

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 30 June 2012 - 12:01 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\ServicePackFiles\i386\mspmsnsv.dll | c:\windows\system32\mspmsnsv.dll
c:\windows\ServicePackFiles\i386\mspmsnsv.dll | c:\windows\system32\dllcache\mspmsnsv.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 June 2012 - 05:51 PM

Sorry - ESET is taking forever to scan archives...going on 4 hours now. Hoping it's done in another hour or so!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 30 June 2012 - 06:05 PM

yes, it can take a long time, I had one user that it took 22 hours to complete!!

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 30 June 2012 - 11:28 PM

Still going...it says I have almost 6000 infected files and counting. Is that normal?? Almost all of them are tagged as a variant of win32/Ramnit.T virus.

#12 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 July 2012 - 02:44 AM

It looks like the Eset log is 1.5MB and too large to post or attach. How should I proceed? Also, when I rebooted during the Combofix process I got a new message saying a hard drive parameter was out of range and had to press F1 to continue. The MBAM and Combofix logs are below:



ComboFix 12-06-28.03 - AD 06/30/2012 13:29:22.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1619 [GMT -4:00]
Running from: c:\documents and settings\AD\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AD\Desktop\CFScript.txt
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\mspmsnsv.dll --> c:\windows\system32\mspmsnsv.dll
c:\windows\ServicePackFiles\i386\mspmsnsv.dll --> c:\windows\system32\dllcache\mspmsnsv.dll
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 )))))))))))))))))))))))))))))))
.
.
2012-06-30 10:46 . 2012-06-30 10:46 -------- d-----w- C:\found.001
2012-06-30 04:13 . 2002-11-08 23:02 16384 ----a-w- c:\program files\Windows Media Player\pidgen.dll
2012-06-30 04:13 . 2004-08-04 07:56 52224 -c--a-w- c:\windows\system32\dllcache\mspmsnsv.dll
2012-06-30 04:13 . 2004-08-04 07:56 52224 ----a-w- c:\windows\system32\mspmsnsv.dll
2012-06-30 04:13 . 2002-11-26 23:03 27136 -c--a-w- c:\windows\system32\dllcache\wmdmlog.dll
2012-06-30 04:13 . 2002-11-26 23:03 27136 ----a-w- c:\windows\system32\wmdmlog.dll
2012-06-30 04:13 . 2002-11-26 23:03 23552 -c--a-w- c:\windows\system32\dllcache\wmdmps.dll
2012-06-30 04:13 . 2002-11-26 23:03 23552 ----a-w- c:\windows\system32\wmdmps.dll
2012-06-30 04:13 . 2002-11-26 23:03 159232 -c--a-w- c:\windows\system32\dllcache\CEWMDM.dll
2012-06-30 04:13 . 2002-11-26 23:03 159232 ----a-w- c:\windows\system32\CEWMDM.dll
2012-06-30 04:13 . 2002-11-26 23:03 245760 -c--a-w- c:\windows\system32\dllcache\mswmdm.dll
2012-06-30 04:13 . 2002-11-26 23:03 245760 ----a-w- c:\windows\system32\mswmdm.dll
2012-06-29 23:19 . 2012-06-29 23:19 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-29 20:05 . 2012-06-29 20:05 -------- d-----w- C:\found.000
2012-06-29 01:47 . 2012-06-29 01:39 13951112 ----a-w- c:\program files\Windows Media Player\Installer\wmp9xp.exe
2012-06-28 23:33 . 2012-06-28 23:33 -------- d-----w- c:\program files\ESET
2012-06-28 01:41 . 2012-06-28 01:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-06-27 22:55 . 2012-06-27 22:55 -------- d-----w- c:\documents and settings\AD\Application Data\Avira
2012-06-27 22:40 . 2012-01-31 12:57 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-27 22:40 . 2012-01-31 12:57 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-27 22:40 . 2011-09-16 20:09 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-27 22:40 . 2012-06-27 22:40 -------- d-----w- c:\program files\Avira
2012-06-27 22:40 . 2012-06-27 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-06-27 11:26 . 2012-06-27 11:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-25 04:05 . 2012-06-25 04:05 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-17 03:48 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 19:19 . 2007-05-23 17:39 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2007-05-23 17:39 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2006-07-15 05:15 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2006-07-15 05:15 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2006-07-15 05:15 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-05-23 17:39 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2006-07-15 05:15 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2006-07-15 04:40 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2005-05-26 08:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2003-07-16 20:25 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-05-23 17:39 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2006-07-15 05:15 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2006-07-15 04:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2003-03-20 20:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 13:20 . 2003-07-16 20:51 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-04 13:16 . 2003-07-16 20:39 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2002-08-29 01:04 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-07-15 04:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 237568]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 225280]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 598016]
"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2006-12-27 155715]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!Antivirus"=2 (0x2)
"E334157B"=3 (0x3)
"avgwd"=2 (0x2)
"avgfws"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2009 7:26 PM 130936]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [6/27/2012 6:40 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/27/2012 6:40 PM 86224]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/20/2012 10:33 AM 652360]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 4:11 PM 73728]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 9:39 PM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 9:39 PM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 9:39 PM 566360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/20/2012 10:33 AM 20464]
S0 AVGIDSEH;AVGIDSEH; [x]
S0 cneda;cneda;c:\windows\system32\drivers\sunpmb.sys --> c:\windows\system32\drivers\sunpmb.sys [?]
S0 indxek;indxek;c:\windows\system32\drivers\rwrlu.sys --> c:\windows\system32\drivers\rwrlu.sys [?]
S3 Avgfwdx;Avgfwdx; [x]
S3 Avgfwfd;AVG network filter service; [x]
S3 BlackBox;BlackBox SR2; [x]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 9:39 PM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/26/2012 1:32 PM 254976]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 9:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 9:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 9:39 PM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 9:39 PM 566360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/29/2012 7:19 PM 40776]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/17/2009 7:26 PM 348752]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/12/2008 12:29 PM 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-30 13:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-152049171-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:71,4a,a1,f7,db,4d,a5,4f,c1,a3,48,a9,07,aa,d2,cc,13,e2,f3,0f,64,e0,68,
20,62,47,c5,95,f0,52,b0,79,8c,70,fc,c6,bc,ef,9f,43,6a,1a,05,30,34,32,75,07,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-06-30 14:01:51
ComboFix-quarantined-files.txt 2012-06-30 18:01
ComboFix2.txt 2012-06-30 16:30
ComboFix3.txt 2012-06-26 12:17
ComboFix4.txt 2012-06-26 02:58
ComboFix5.txt 2012-06-30 17:15
.
Pre-Run: 1,716,736,000 bytes free
Post-Run: 1,710,194,688 bytes free
.
- - End Of File - - A60BAC1C44488785EEB8737F8E2D6851



Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.30.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
AD :: DELL [administrator]

Protection: Disabled

6/30/2012 2:05:20 PM
mbam-log-2012-06-30 (14-05-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232517
Time elapsed: 14 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\AD\Desktop\Media_Player_Classic_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Documents and Settings\AD\Local Settings\Temporary Internet Files\Content.IE5\ZJEPIGT8\Media_Player_Classic_Setup[1].exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 01 July 2012 - 10:09 AM

are you able to zip up the ESET file > right click > send to > compressed (zipped) folder

then attach it?

what are a sampling of the detections it is reporting?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 sumone

sumone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 July 2012 - 10:13 AM

I should have thought of that! I attached the zipped file...

Attached Files



#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:33 AM

Posted 01 July 2012 - 10:19 AM

Ugh

I was afraid of that, unfortunately ramnit is a polymorphic file infector. It has permeated too may files to be able to clean. I only recommend reformatting. There are tools that claim to be able to clean ramnit, but personally it is such a damaging infection, that I wouldn't trust any of the files again unless I reformatted. I'm sorry for such bad news.

here is the usual recommendation I give for ramnit

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll  and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users