Jump to content

jesseg

Members
 View Profile  See their activity

  • Posts

    1

  • Joined

  • Last visited

Reputation

0 Neutral
  1. jesseg
    Hi, I "have" been recently infected with zeroaccess rootkit... I have run the combofix, which told that I had the rootkit.... Combofix cleaned it. I then ran TDSSkiller, ESET Online Scanner and a some tools.... I am not sure if I have been cleaned completely, no google redirects or ping.exe issues... All seems to run well... Just wanted my combofix log file looked at... Thanks here is the log file : ComboFix 13-04-22.01 - jesseg 04/22/2013 20:53:57.5.4 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3236.1962 [GMT 2:00] Running from: c:\users\jesseg\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} FW: Online Armor Firewall *Enabled* {BD3F5FCA-866B-1E2E-0A68-58900A751EA1} SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\3002.abs c:\programdata\3002.xml . . ((((((((((((((((((((((((( Files Created from 2013-03-22 to 2013-04-22 ))))))))))))))))))))))))))))))) . . 2013-04-22 19:02 . 2013-04-22 19:02 -------- d-----w- c:\users\jesseg\AppData\Local\temp 2013-04-22 14:54 . 2013-04-22 14:54 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAF040C2-C39F-499D-98DA-BFB8320591AC}\MpKsl9f7fb70f.sys 2013-04-22 06:50 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAF040C2-C39F-499D-98DA-BFB8320591AC}\mpengine.dll 2013-04-20 18:35 . 2013-04-20 18:44 -------- d-----w- c:\programdata\OnlineArmor 2013-04-20 18:35 . 2013-04-20 18:35 -------- d-----w- c:\users\jesseg\AppData\Roaming\OnlineArmor 2013-04-20 18:34 . 2012-10-02 13:03 44992 ----a-w- c:\windows\system32\drivers\oahlp32.sys 2013-04-20 18:34 . 2012-10-02 13:02 31768 ----a-w- c:\windows\system32\drivers\OAnet.sys 2013-04-20 18:34 . 2012-10-02 13:02 27648 ----a-w- c:\windows\system32\drivers\OAmon.sys 2013-04-20 18:34 . 2012-10-02 13:02 208320 ----a-w- c:\windows\system32\drivers\OADriver.sys 2013-04-20 18:33 . 2013-04-21 18:37 -------- d-----w- c:\program files\Online Armor 2013-04-20 18:06 . 2013-04-20 18:33 -------- d-----w- c:\program files\NirSoft 2013-04-20 16:20 . 2013-04-20 16:20 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B518F6D4-A515-49FA-91F3-E0D6F07080F6}\gapaengine.dll 2013-04-20 16:20 . 2013-04-10 03:08 6906960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-04-20 16:15 . 2013-04-20 16:16 -------- d-----w- c:\program files\Microsoft Security Client 2013-04-20 15:14 . 2013-04-20 15:14 -------- d-----w- c:\users\jesseg\AppData\Roaming\Malwarebytes 2013-04-20 15:14 . 2013-04-20 15:14 -------- d-----w- c:\programdata\Malwarebytes 2013-04-20 15:14 . 2013-04-20 15:14 -------- d-----w- c:\users\jesseg\AppData\Local\Programs 2013-04-20 12:41 . 2013-04-20 12:41 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55BE735D-DA34-4814-BF66-B4C52FF2162E}\offreg.dll 2013-04-20 11:03 . 2013-04-20 11:03 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-04-20 09:57 . 2013-04-20 18:32 -------- d-----w- c:\program files\Free Window Registry Repair 2013-04-20 08:23 . 2013-04-20 08:23 224256 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll 2013-04-20 08:22 . 2013-04-20 17:51 -------- d-----w- c:\program files\Mega Codec Pack 2013-04-19 01:04 . 2013-04-19 01:04 -------- d-----w- c:\users\jesseg\AppData\Local\sabnzbd 2013-04-19 01:03 . 2013-04-19 01:03 -------- d-----w- c:\program files\SABnzbd 2013-04-18 23:29 . 2013-04-20 18:32 -------- d-----w- c:\users\jesseg\AppData\Roaming\DMCache 2013-04-14 13:30 . 2013-04-14 13:30 -------- d-----w- c:\users\jesseg\AppData\Roaming\Apple Computer 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll 2013-04-13 22:01 . 2013-04-13 22:01 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll 2013-04-13 22:00 . 2013-04-13 22:01 -------- d-----w- c:\program files\QuickTime 2013-04-13 22:00 . 2013-04-13 22:00 -------- d-----w- c:\programdata\Apple Computer 2013-04-13 21:59 . 2013-04-13 21:59 -------- d-----w- c:\program files\Common Files\Apple 2013-04-13 21:59 . 2013-04-13 21:59 -------- d-----w- c:\users\jesseg\AppData\Local\Apple 2013-04-13 21:59 . 2013-04-13 21:59 -------- d-----w- c:\program files\Apple Software Update 2013-04-13 21:59 . 2013-04-13 21:59 -------- d-----w- c:\programdata\Apple 2013-04-13 20:10 . 2013-04-13 20:10 -------- d-----w- c:\programdata\FLEXnet 2013-04-13 19:39 . 2013-04-13 19:39 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2013-04-13 17:10 . 2013-04-13 17:10 -------- d-----w- c:\users\jesseg\AppData\Roaming\BANDISOFT 2013-04-13 17:10 . 2013-04-13 17:10 -------- d-----w- c:\program files\Bandicam 2013-04-13 17:10 . 2013-04-13 17:10 -------- d-----w- c:\program files\BandiMPEG1 2013-04-13 16:38 . 2013-04-13 16:38 -------- d-----w- c:\users\jesseg\AppData\Local\Noël Danjou 2013-04-13 16:38 . 2013-04-13 19:00 -------- d-----w- c:\program files\Noël Danjou 2013-04-13 16:05 . 2013-04-13 16:05 -------- d-----w- c:\program files\AmaRecTV Live 2013-04-13 16:00 . 2013-04-13 16:01 -------- d-----w- c:\users\jesseg\AppData\Roaming\AmvVideoCodec 2013-04-13 16:00 . 2013-04-13 16:00 -------- d-----w- c:\program files\AmvVideoCodec 2013-04-13 15:21 . 2013-04-13 15:21 -------- d-----w- c:\users\jesseg\AppData\Local\Diagnostics 2013-04-13 14:01 . 2013-04-13 15:33 -------- d-----w- c:\users\jesseg\AppData\Roaming\Ulead Systems 2013-04-13 13:45 . 2013-04-13 13:45 -------- d-----w- c:\programdata\InstallShield 2013-04-13 13:45 . 2005-06-10 02:44 81920 ------r- c:\program files\Common Files\InstallShield\UpdateService\issch.exe 2013-04-13 13:45 . 2005-06-10 02:44 368640 ------r- c:\program files\Common Files\InstallShield\UpdateService\_isusres.dll 2013-04-13 13:45 . 2005-06-10 02:44 278528 ------r- c:\program files\Common Files\InstallShield\UpdateService\ISDM.exe 2013-04-13 13:45 . 2013-04-13 13:45 -------- d-----w- c:\program files\Windows Media Components 2013-04-13 13:35 . 2013-04-17 17:38 -------- d-----w- c:\programdata\Ulead Systems 2013-04-13 13:35 . 2005-06-10 02:44 618496 ------r- c:\program files\Common Files\InstallShield\UpdateService\agent.exe 2013-04-13 13:28 . 2010-04-16 11:59 236168 ----a-w- c:\windows\system32\StkCProp.ax 2013-04-13 13:28 . 2010-03-29 18:35 84616 ----a-w- c:\windows\StkUnist.exe 2013-04-13 13:28 . 2010-03-26 18:24 55944 ----a-w- c:\windows\system32\StkSSrv.dll 2013-04-13 13:28 . 2010-03-26 18:24 76424 ----a-w- c:\windows\system32\StkCWIA.dll 2013-04-13 13:28 . 2010-03-26 18:23 31368 ----a-w- c:\windows\system32\StkCSrv.exe 2013-04-13 13:28 . 2009-06-11 13:15 347152 ----a-w- c:\windows\VideoView.exe 2013-04-13 13:28 . 2010-03-26 18:23 113288 ----a-w- c:\windows\StkC112X.exe 2013-04-13 13:28 . 2009-05-03 13:04 197648 ----a-w- c:\windows\system32\drivers\StkCSF.sys 2013-04-13 13:28 . 2010-04-16 11:59 1521544 ----a-w- c:\windows\system32\drivers\StkCMini.sys 2013-04-13 13:28 . 2010-03-26 13:43 13874824 ----a-w- c:\windows\system32\drivers\StkCPipe.sys 2013-04-13 13:28 . 2013-04-13 13:28 -------- d-----w- c:\users\jesseg\AppData\Roaming\InstallShield 2013-04-12 11:01 . 2013-04-12 11:06 -------- d-----w- C:\UBCD4Win 2013-04-11 17:47 . 2013-04-11 17:47 -------- d-----w- c:\program files\Paint.NET 2013-04-11 17:46 . 2013-04-11 17:55 -------- d-----w- c:\users\jesseg\AppData\Local\Paint.NET 2013-04-11 17:29 . 2013-04-11 17:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-04-11 12:17 . 2013-04-11 12:18 -------- d-----w- c:\users\tom 2013-04-10 15:16 . 2013-04-10 15:51 -------- d-----w- c:\programdata\Visual CertExam Suite 2013-04-10 15:16 . 2013-04-10 15:16 -------- d-----w- c:\program files\Visual CertExam Suite 2013-04-09 13:06 . 2013-04-09 13:07 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0 2013-04-09 10:43 . 2010-08-19 17:22 409600 ----a-w- C:\rescue2usb.exe 2013-04-09 10:43 . 2009-10-16 14:43 237849 ----a-w- C:\grub.exe 2013-04-08 16:45 . 2013-03-06 23:32 228600 ----a-w- c:\windows\system32\aswBoot.exe 2013-04-08 16:43 . 2013-04-08 16:43 -------- d-----w- c:\program files\AVAST Software 2013-04-08 16:42 . 2013-04-08 16:43 -------- d-----w- c:\programdata\AVAST Software 2013-04-05 09:47 . 2013-04-20 09:38 -------- d-----w- C:\Stinger_Quarantine . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-04-22 16:58 . 2012-11-15 17:54 17920 ----a-w- c:\windows\system32\rpcnetp.exe 2013-04-20 18:41 . 2012-11-15 08:43 69792 ----a-w- c:\windows\system32\rpcnet.dll 2013-04-20 09:40 . 2013-01-20 17:34 338944 ----a-w- c:\windows\system32\drivers\afd.sys 2013-04-20 09:36 . 2012-11-15 17:55 17920 ----a-w- c:\windows\system32\rpcnetp.dll 2013-04-02 10:33 . 2012-11-21 16:58 237088 ------w- c:\windows\system32\MpSigStub.exe 2013-03-07 08:10 . 2009-12-21 10:57 69792 ------w- c:\windows\system32\rpcnet.exe 2013-02-28 13:37 . 2013-03-18 08:14 981504 ----a-w- c:\windows\system32\wininet.dll 2013-02-28 11:38 . 2013-03-18 08:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2013-02-26 06:55 . 2013-02-26 06:55 65536 ----a-w- c:\windows\system32\frapsvid.dll 2013-02-12 04:48 . 2013-03-18 08:00 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2013-02-12 04:48 . 2013-03-18 08:00 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll 2013-02-12 03:32 . 2013-03-18 08:19 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-01-24 12:50 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay] @="{1EC23CFF-4C58-458f-924C-8519AEF61B32}" [HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}] 2013-04-20 08:23 224256 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-01 142616] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-01 177432] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-01 176408] "ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2011-03-03 1812264] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-01-18 10025576] "IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-05-02 1210640] "BTMTrayAgent"="c:\program files\Intel\Bluetooth\btmshell.dll" [2011-03-30 9902352] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2013-01-21 149280] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2012-10-02 2415104] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Hotkey.lnk - c:\program files\Hotkey\Hotkey.exe [2011-3-21 3077120] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "EnableShellExecuteHooks"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~1\oaevent.dll" [2012-10-02 366440] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\nvinit.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux5"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [x] R3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [x] R3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [x] R3 MFE_RR;MFE_RR;c:\users\jesseg\AppData\Local\Temp\mfe_rr.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x] R3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\Drivers\StkCMini.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x] S1 MpKsl9f7fb70f;MpKsl9f7fb70f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AAF040C2-C39F-499D-98DA-BFB8320591AC}\MpKsl9f7fb70f.sys [x] S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [x] S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [x] S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [x] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files\Intel\Bluetooth\devmonsrv.exe [x] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Intel\Bluetooth\obexsrv.exe [x] S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\OAcat.exe [x] S2 PowerBiosServer;PowerBiosServer;c:\program files\Hotkey\PowerBiosServer.exe [x] S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [x] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x] S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Intel\Bluetooth\mediasrv.exe [x] S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x] S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x] S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\DRIVERS\JME.sys [x] S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x] S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x] S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [x] S3 tihub3;TI USB3 Hub Service;c:\windows\system32\DRIVERS\tihub3.sys [x] S3 tixhci;TI XHCI Service;c:\windows\system32\DRIVERS\tixhci.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSL781CF4C9 *NewlyCreated* - MPKSL9F7FB70F *Deregistered* - MpKsl781cf4c9 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc GPSvcGroup REG_MULTI_SZ GPSvc . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService FontCache . . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-04-11 06:30 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-23 08:24] . 2013-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-23 08:24] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.mecer.co.za IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.254 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-04-22 21:04:43 ComboFix-quarantined-files.txt 2013-04-22 19:04 ComboFix2.txt 2013-04-20 15:08 . Pre-Run: 126,732,365,824 bytes free Post-Run: 126,675,623,936 bytes free . - - End Of File - - 21946D64E143DBD717958FC81F8BFE12 I tried to understand this log file but for the life of me could not understand it....
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.