Jump to content

Pepster

Members
  • Posts

    6
  • Joined

  • Last visited

Reputation

0 Neutral
  1. ComboFix found and fixed ZeroAccess rootkit. I'd still appreciate any help offered in cleaning up the remaining loose ends I haven't spotted. ComboFix 11-12-06.01 - Pete 12/06/2011 22:09:38.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2681 [GMT -5:00] Running from: c:\documents and settings\Pete\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk c:\windows\$NtUninstallKB2649$ c:\windows\$NtUninstallKB2649$\2517789265 c:\windows\$NtUninstallKB2649$\3699496664\@ c:\windows\$NtUninstallKB2649$\3699496664\bckfg.tmp c:\windows\$NtUninstallKB2649$\3699496664\cfg.ini c:\windows\$NtUninstallKB2649$\3699496664\Desktop.ini c:\windows\$NtUninstallKB2649$\3699496664\keywords c:\windows\$NtUninstallKB2649$\3699496664\kwrd.dll c:\windows\$NtUninstallKB2649$\3699496664\L\akygdmgo c:\windows\$NtUninstallKB2649$\3699496664\lsflt7.ver c:\windows\$NtUninstallKB2649$\3699496664\U\00000001.@ c:\windows\$NtUninstallKB2649$\3699496664\U\00000002.@ c:\windows\$NtUninstallKB2649$\3699496664\U\00000004.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000000.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000004.@ c:\windows\$NtUninstallKB2649$\3699496664\U\80000032.@ c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini c:\windows\tsoc.log D:\autorun.inf E:\Autorun.inf H:\autorun.inf . Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected Restored copy from - The cat found it . ((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 ))))))))))))))))))))))))))))))) . . 2011-12-06 03:41 . 2011-12-06 03:41 -------- d-----w- c:\documents and settings\Pete\Application Data\SUPERAntiSpyware.com 2011-12-06 03:41 . 2011-12-06 05:04 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-12-06 03:41 . 2011-12-06 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-12-06 02:17 . 2011-12-06 02:17 -------- d-----w- c:\program files\Common Files\Java 2011-12-05 20:10 . 2011-12-05 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-12-05 20:10 . 2011-12-05 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\documents and settings\Pete\Application Data\Malwarebytes 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-12-05 19:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-05 19:48 . 2011-12-05 19:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-06 01:09 . 2011-05-25 03:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22 . 2009-09-11 01:45 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-10-03 10:06 . 2011-07-24 04:18 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-10-03 07:37 . 2009-11-15 14:52 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-09-28 07:06 . 2001-08-18 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2001-08-18 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2001-08-18 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-12 23:18 . 2009-09-26 01:40 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2003-08-21 06:00 . 2010-03-03 04:41 28672 ----a-w- c:\program files\PureText.exe 2000-06-15 11:28 . 2010-03-03 04:41 561152 ----a-w- c:\program files\converter.exe 2011-11-11 01:37 . 2011-03-23 02:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136] "F.lux"="c:\documents and settings\Pete\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656] "Steam"="c:\program files\Steam\Steam.exe" [2011-09-20 1242448] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864] "RTHDCPL"="RTHDCPL.EXE" [2009-08-04 18702336] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "WinSys2"="c:\windows\system32\winsys2.exe" [2009-05-18 208896] "nwiz"="nwiz.exe" [2009-05-01 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272] "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-08-25 139264] "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704] . c:\documents and settings\Pete\Start Menu\Programs\Startup\ DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2009-9-16 192512] EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2011-8-8 977408] PureText.lnk - c:\program files\PureText.exe [2010-3-2 28672] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-8 221247] UltraMon.lnk - c:\windows\Installer\{83CCCBDC-3A56-4F3B-89DF-69386C3B7D62}\IcoUltraMon.ico [2010-1-19 29310] WinTV Recording Status..lnk - c:\program files\WinTV\WinTV7\WinTVTray.exe [2011-1-31 83456] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 . [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= d:\backgroundimages\Dual monitor\Yin_and_Yang_by_FalconNL.jpg FriendlyName= . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-07-15 18:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1003\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1004\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1390067357-1580818891-725345543-1005\Scripts\Logoff\0\0] "Script"=SyncToy-Run All.bat . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\WinTV\\WinTV7\\WinTV7.exe"= "c:\\Program Files\\WinTV\\Extend\\WinTVExtender.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 . R0 ssfs0bbd;ssfs0bbd;c:\windows\system32\drivers\ssfs0bbd.sys [12/17/2009 9:54 PM 28936] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/25/2009 8:40 PM 216400] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/25/2009 8:40 PM 243152] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 1:44 PM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 1:44 PM 308136] R2 Hauppauge WinTV Extender;Hauppauge WinTV Extender;c:\progra~1\WinTV\Extend\WINTVE~1.EXE [1/31/2011 10:49 PM 67584] R2 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\TVServer\HAUPPA~1.EXE [1/31/2011 10:49 PM 602624] R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/12/2009 8:59 PM 132392] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/18/2010 10:14 PM 10448] R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184] R3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [9/16/2009 9:03 PM 28160] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2011 10:25 AM 136176] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/16/2009 8:10 PM 1684736] S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [6/9/2010 9:27 PM 18560] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2011 10:25 AM 136176] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{30906580-7637-43C1-89A2-F045E24B1DA3}] 2009-05-27 21:09 77824 ----a-w- c:\program files\SNL Financial\SNLxl\InstallXLAddinRegKey.dll . Contents of the 'Scheduled Tasks' folder . 2011-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 15:24] . 2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 15:24] . 2011-12-07 c:\windows\Tasks\SyncToyCmd.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . 2011-12-07 c:\windows\Tasks\SyncToy_MegDocs.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . 2011-12-07 c:\windows\Tasks\SyncToy_PeteDocs.job - c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 06:58] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204 Trusted Zone: com.tw\asia.msi Trusted Zone: com.tw\global.msi Trusted Zone: com.tw\www.msi TCP: Interfaces\{711513A9-9B90-433E-8DF8-C9D9864604C8}: NameServer = 8.8.8.8,68.94.157.1 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\bb961jkg.default\ FF - user.js: network.protocol-handler.warn-external.dnupdate - false . . ------- File Associations ------- . .txt=UltraEdit.txt . - - - - ORPHANS REMOVED - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-06 22:23 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(608) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll . - - - - - - - > 'explorer.exe'(7452) c:\windows\system32\WININET.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\program files\UltraMon\RTSUltraMonHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe c:\progra~1\WinTV\TVServer\CAPTUR~3.EXE c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\program files\UltraMon\UltraMon.exe c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE c:\program files\UltraMon\UltraMonTaskbar.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\MSI\DualCoreCenter\DualCoreCenter.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-12-06 22:29:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-12-07 03:29 . Pre-Run: 94,148,349,952 bytes free Post-Run: 106,013,437,952 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn . - - End Of File - - 9417F7E1B61E127473E1BF85D385390A
  2. This one does NOT want to be posted. Try #17: DDS.txt
  3. TDSSKiller.2.6.21.0_05.12.2011_20.26.58_log.txt OTL.Txt
  4. Attempted Log postings keep resulting in Server Connection Reset Errors. I'm trying.
  5. This is apparently a common issue I just finished cleaning a "Windows Internet Security 2012" rogue infection. Keep getting ping.exe running, refusing to stay terminated. I've managed to suspend it with Process Explorer, which seems to make it take longer to restart than a simple process kill. I've run MalwareBytes full scan, SpybotSD, and AVG full scan. Still stuck. DDS Logs attached, TDSS Log and OTL Logs to follow. I'm stuck here, what does this thing have its hooks in that I haven't cleaned? Thanks, - Pete
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.