Jump to content

RobC

Members
 View Profile  See their activity

  • Posts

    14

  • Joined

  • Last visited

Reputation

0 Neutral

About RobC

  • Birthday 04/29/1968

Contact Methods

  • Website URL
    http://www.facebook.com/robclyburn
  • ICQ
    0

Profile Information

  • Location
    Antioch CA
  • Interests
    Camping, Skiing, BBQ's, board games with family and friends
  1. RobC
    I'm waiting to uninstal MBAM until after you have a look at this. I didn't want to change anything on the PC in case there is a problem Here is the Avira Scan log Avira AntiVir Personal Report file date: Saturday, September 05, 2009 14:10 Scanning for 1684065 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : HEATSBOX Version information: BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 9/5/2009 20:59:38 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42 ANTIVIR2.VDF : 7.1.5.201 3414528 Bytes 9/3/2009 22:21:08 ANTIVIR3.VDF : 7.1.5.209 43520 Bytes 9/4/2009 22:21:09 Engineversion : 8.2.1.8 AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 21:31:50 AESCRIPT.DLL : 8.1.2.27 467321 Bytes 9/4/2009 22:21:20 AESCN.DLL : 8.1.2.5 127346 Bytes 9/4/2009 22:21:18 AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 17:59:39 AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 21:31:50 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39 AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/4/2009 22:21:17 AEHELP.DLL : 8.1.7.0 237940 Bytes 9/4/2009 22:21:13 AEGEN.DLL : 8.1.1.60 364915 Bytes 9/4/2009 22:21:12 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40 AECORE.DLL : 8.1.7.8 184692 Bytes 9/4/2009 22:21:10 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, F:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR, Start of the scan: Saturday, September 05, 2009 14:10 Starting search for hidden objects. '47469' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'FxSvr2.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'msmsgs.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'LogiTray.exe' - '1' Module(s) have been scanned Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned Scan process 'YMailAdvisor.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned Scan process 'SiteAdv.exe' - '1' Module(s) have been scanned Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'soundman.exe' - '1' Module(s) have been scanned Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned Scan process 'shwiconEM.exe' - '1' Module(s) have been scanned Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned Scan process 'mdm.exe' - '1' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 41 processes with 41 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Master boot sector HD3 [iNFO] No virus was found! Master boot sector HD4 [iNFO] No virus was found! Master boot sector HD5 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Boot sector 'F:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '76' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Documents and Settings\Rob\Desktop\GetaRoot.exe [WARNING] The file could not be opened! C:\Program Files\Internet Explorer\iexplore.exe [WARNING] The file could not be opened! C:\Program Files\Protection System\firewall.dll [DETECTION] Is the TR/PCK.Tdss.Y.387 Trojan C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [WARNING] The file could not be opened! C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe [WARNING] The file could not be opened! C:\WINDOWS\system32\dumprep.exe [WARNING] The file could not be opened! Begin scan in 'D:\' <RECOVERY> Begin scan in 'F:\' Beginning disinfection: C:\Program Files\Protection System\firewall.dll [DETECTION] Is the TR/PCK.Tdss.Y.387 Trojan [NOTE] The file was moved to '4b14e487.qua'! End of the scan: Saturday, September 05, 2009 15:20 Used time: 1:09:21 Hour(s) The scan has been done completely. 12717 Scanned directories 557821 Files were scanned 1 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 7 Files cannot be scanned 557813 Files not concerned 20801 Archives were scanned 7 Warnings 3 Notes 47469 Objects were scanned with rootkit scan 0 Hidden objects were found
  2. RobC
    Thanks for explaining the quarantine. I tried running MBAM first but got an error message that says Runtime Error 5, then it closed - I have a screen shot, but I can't upload it due to the file size. MBAM was scanning C:\Windows\system32\zipfldr.dll when it stopped with the runtime error. I then tried Avira and it is scanning and is currently showing 7 warnings and 1 Detection. Once the Avira Scan completes what should I do?
  3. RobC
    Thanks! I will give that a try with IE and the fr33 unlock. It worked! IE seems to run fine now. About the MBAM and Avira- is it Ok to have both installed? I had posted an earlier question that I wanted to see if you can answer- During normal use - what is the correct procedure when Avira (or MBAM) have a detection? Quarantine or Delete?? If something is quarantined, what exactly does that mean?- when are the malicious files actually removed? Also - is it OK if i do a system scan now with Avira and / or Malwarebytes?
  4. RobC
    Ok, McAfee is completely uninstalled. Is there anything else I should uninstall or delete? In addition to Avira, I had installed MBAM- three's not a conflict between having these two is there? For the IE problem- this started happening during the infection a few days ago- IE just stopped working. When I click on the IE icon, I get this: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
  5. RobC
    ComboFix is uninstalled successfully. Update on the previous post- I was able to copy the C:\Qoobox\Quarantine\[8]-Submit_date_time.zip file from her PC onto the flashdrive and uploaded it to BleepingComputer from my laptop. I pasted this thread as the source. Avira is active, and I am able to log onto Windows from my wife's, mine and the Guest profile. I did a reboot and everything looks fine, except for Internet Explorer. It's not working, I had been wanting to switch her computer over to another browser anyway- possibly Chrome. She primarily just uses her computer to brows and email, go to Facebook, etc. -so i thought Chrome might be a good choice for her to browse with- what do you think? (sorry for asking another question while we are still working on the problem)
  6. RobC
    Ok here is the new ComboFix Log. I attempted to access the BleepingComputer link above (I had to copy it to PC desktop from my flash)- but I get an Error message that says: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I also tried to open Internet Explorer and see if I could type the link in, but nothing happens when I click the IE shortcut. After the reboot, ComboFix resumed and just before completing said that it was uploading files to the server- I'm not sure where it uploaded them to. ComboFix 09-09-04.02 - Owner 09/05/2009 12:31.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.123 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: L:\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} FILE :: "c:\windows\system32\fayebuzu.dll" "c:\windows\system32\fekabaku.dll" "c:\windows\system32\higawaka.dll" "c:\windows\system32\loyuwisa.dll" "c:\windows\system32\yelesato.dll" "c:\windows\system32\yobijowu.dll" file zipped: c:\windows\system32\drivers\plumber.exe.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\fayebuzu.dll c:\windows\system32\fekabaku.dll c:\windows\system32\higawaka.dll c:\windows\system32\loyuwisa.dll c:\windows\system32\yelesato.dll c:\windows\system32\yobijowu.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GETAROOT -------\Service_getaroot ((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 ))))))))))))))))))))))))))))))) . 2009-09-05 01:40 . 2009-09-05 02:30 34816 ----a-w- c:\windows\system32\drivers\plumber.exe.sys 2009-09-05 01:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-05 01:05 . 2009-09-05 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-05 01:05 . 2009-09-05 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-05 01:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 22:15 . 2009-09-04 22:15 -------- d-----w- c:\program files\Trend Micro 2009-09-03 15:46 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM 2009-09-03 15:45 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-09-03 14:19 . 2009-09-03 14:19 -------- d-----w- c:\documents and settings\Rob\Application Data\MSNInstaller 2009-09-03 14:13 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-09-03 14:13 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-09-03 14:13 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-09-03 14:13 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\program files\Avira 2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-09-02 00:17 . 2009-09-02 00:17 -------- d-----w- c:\program files\Microsoft Windows OneCare Live 2009-09-01 23:43 . 2009-09-01 23:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-01 23:42 . 2009-09-01 23:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-26 16:22 . 2009-08-26 16:22 -------- d-----w- c:\program files\NCR Media Formats 2009-08-26 16:21 . 2009-08-26 16:23 -------- d-----w- c:\program files\NCR Label Formats for MS Word Setup . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-05 17:30 . 2006-02-07 02:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView 2009-09-05 17:06 . 2004-08-26 16:11 56320 ----a-w- c:\windows\system32\eventlog.dll 2009-09-05 17:03 . 2005-11-07 17:16 -------- d-----w- c:\program files\McAfee 2009-09-02 23:08 . 2008-12-17 05:58 -------- d-----w- c:\program files\Windows Live Safety Center 2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-10 17:45 . 2005-11-07 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 16:19 . 2004-08-26 18:00 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-09 21:57 . 2006-02-15 19:56 35512 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-26 36904] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "OOBEDDDemise"="erase" [X] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"= "c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"= "c:\\Program Files\\Logitech\\Video\\LogiTray.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 7:13 AM 108289] S3 plumber.exe;plumber.exe;c:\windows\system32\drivers\plumber.exe.sys [9/4/2009 6:40 PM 34816] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-04-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/2007/11/18/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-05 12:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe??????????????????????C?w?????????????????????????%??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(976) c:\program files\SiteAdvisor\6253\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\McAfee\VirusScan\Mcshield.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\progra~1\McAfee.com\Agent\mcagent.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Logitech\Video\FxSvr2.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-05 12:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-05 19:48 ComboFix2.txt 2009-09-05 17:44 Pre-Run: 80,965,263,360 bytes free Post-Run: 80,924,160,000 bytes free 208 --- E O F --- 2009-08-26 18:05 Upload was successful
  7. RobC
    Ok- I'm about to perform those steps. Question- since running the previous (first) ComboFix, I've just let the PC sit (using laptop to post), and following the CoboFix run Avira was turned on. It has displayed several warnings about Trojan files detected. I've been selecting "Quarantine" Is that the correct thing to do? Do I need to turn Avira AV - or anything else off before the steps you listed above?
  8. RobC
    Prior to starting ComboFix I disabled McAfee Security Center which was the original AV prtection, the windows firewall, and Avira which I had added during my attempts to fight this, it showed the closed umbrella icon. While running ComboFix, it restarted twice. Just before the first reboot combo fix had me note several file locations. After reboot, Combo fix continued running it's scan, except I started getting Avira messages that a virus, or trojan had been detected. I wasn't sure if that was part of the scan, or if Avira had restarted? I wasn't sure what to do so I kept selecting "Quarantine". Also- following the 2nd reboot from ComboFix, Windows decided to download/install updates, which i couldn't stop- I was still connected to the internet because ComboFix had indicated it needed to download some microsoft files for system restore. I'm not sure if the Avira quarantine alerts and the windows updates will affect the outcome or not? In watching the process in Combo's window, I saw where Combofix was deleting some of the malicious files and links- now that it has stopped, I still see two desktop shortcuts remaining for "Protection System" & a text file named "catchme" that I hadn't noticed before. Presently, Avira shows active, and after ComboFix finished, the only thing I've done so far is save the log on my flashdrive so I could post it here, and to do a screen capture so I could include an image of the desktop, I haven't opened any programs or files. (those are my daughters by the way... ) I've attached the Desktop image. The combo text is here: ComboFix 09-09-04.02 - Owner 09/05/2009 10:16.1.1 - NTFSx86 Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Desktop\nudetube.com.lnk c:\documents and settings\All Users\Desktop\pornotube.com.lnk c:\documents and settings\All Users\Desktop\youporn.com.lnk c:\documents and settings\Owner\Desktop\Total Security 2009.lnk c:\documents and settings\Owner\Start Menu\Programs\Total Security c:\documents and settings\Owner\Start Menu\Programs\Total Security\Total Security 2009.lnk c:\recycler\S-1-5-21-1038877222-1771802644-1187402616-1003 c:\windows\Installer\1324b.msi c:\windows\system32\~.exe c:\windows\system32\drivers\UACbgrqoiskly.sys c:\windows\system32\lopusuji.dll c:\windows\system32\muzaloda.dll c:\windows\system32\namiviko.dll c:\windows\system32\pohuyuwo.dll c:\windows\system32\seruyone.exe c:\windows\system32\tuwejipe.dll c:\windows\system32\UACaqpsdimhww.dll c:\windows\system32\UACbapynyjnmn.dat c:\windows\system32\UACdsesupgbph.dll c:\windows\system32\UACfrulkxgubh.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACxmlkjalxrq.dll c:\windows\system32\wayolelu.exe c:\windows\system32\wevetora.dll D:\Autorun.inf Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\logevent.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_UACd.sys -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 ))))))))))))))))))))))))))))))) . 2009-09-05 01:40 . 2009-09-05 02:30 34816 ----a-w- c:\windows\system32\drivers\plumber.exe.sys 2009-09-05 01:05 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-05 01:05 . 2009-09-05 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-05 01:05 . 2009-09-05 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-05 01:05 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 23:50 . 2009-09-05 01:32 34816 ----a-w- c:\windows\system32\drivers\.sys 2009-09-04 22:15 . 2009-09-04 22:15 -------- d-----w- c:\program files\Trend Micro 2009-09-03 15:46 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM 2009-09-03 15:45 . 2009-09-03 15:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-09-03 14:19 . 2009-09-03 14:19 -------- d-----w- c:\documents and settings\Rob\Application Data\MSNInstaller 2009-09-03 14:13 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-09-03 14:13 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-09-03 14:13 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-09-03 14:13 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\program files\Avira 2009-09-03 14:13 . 2009-09-03 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-09-02 00:17 . 2009-09-02 00:17 -------- d-----w- c:\program files\Microsoft Windows OneCare Live 2009-09-01 23:43 . 2009-09-01 23:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-01 23:42 . 2009-09-01 23:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-26 16:22 . 2009-08-26 16:22 -------- d-----w- c:\program files\NCR Media Formats 2009-08-26 16:21 . 2009-08-26 16:23 -------- d-----w- c:\program files\NCR Label Formats for MS Word Setup . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-05 17:06 . 2004-08-26 16:11 56320 ----a-w- c:\windows\system32\eventlog.dll 2009-09-05 17:03 . 2005-11-07 17:16 -------- d-----w- c:\program files\McAfee 2009-09-05 16:26 . 2009-06-05 16:26 88064 --sha-w- c:\windows\system32\yobijowu.dll 2009-09-04 21:47 . 2009-06-04 21:47 88064 --sha-w- c:\windows\system32\fayebuzu.dll 2009-09-02 23:08 . 2008-12-17 05:58 -------- d-----w- c:\program files\Windows Live Safety Center 2009-09-02 15:49 . 2009-06-02 15:49 49152 --sha-w- c:\windows\system32\fekabaku.dll 2009-09-02 15:49 . 2009-06-02 15:49 88576 --sha-w- c:\windows\system32\loyuwisa.dll 2009-09-01 15:46 . 2006-02-07 02:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView 2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2004-08-26 16:12 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-10 17:45 . 2005-11-07 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 12:31 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 16:19 . 2004-08-26 18:00 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-09 21:57 . 2006-02-15 19:56 35512 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-02 15:50 . 2009-06-02 15:50 49152 --sha-w- c:\windows\system32\higawaka.dll 2009-06-02 15:50 . 2009-06-02 15:50 49152 --sha-w- c:\windows\system32\yelesato.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442629e0-33f0-442f-86e8-d06ff99aae38}] 2009-06-02 15:50 49152 --sha-w- c:\windows\system32\yelesato.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-26 36904] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "jusupiyetu"="c:\windows\system32\higawaka.dll" [2009-06-02 49152] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "rebuninat"="c:\windows\system32\fayebuzu.dll" [2009-09-04 88064] "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-09-18 1519616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "OOBEDDDemise"="erase" [X] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{3b5fecf4-783c-443a-abbf-dec53a1282b7}"= "c:\windows\system32\fayebuzu.dll" [2009-09-04 88064] "{084d3224-2dd0-4a21-b016-d359d42d8472}"= "c:\windows\system32\yobijowu.dll" [2009-09-05 88064] "{57d164c6-a20a-4a44-bec1-ad2c907258cd}"= "c:\windows\system32\fayebuzu.dll" [2009-09-04 88064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "kederibeh"= {3b5fecf4-783c-443a-abbf-dec53a1282b7} - c:\windows\system32\fayebuzu.dll [2009-09-04 88064] "bifapemif"= {084d3224-2dd0-4a21-b016-d359d42d8472} - c:\windows\system32\yobijowu.dll [2009-09-05 88064] "mekuzutaz"= {57d164c6-a20a-4a44-bec1-ad2c907258cd} - c:\windows\system32\fayebuzu.dll [2009-09-04 88064] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"= "c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"= "c:\\WINDOWS\\explorer.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/3/2009 7:13 AM 108289] S3 getaroot;getaroot;\??\c:\windows\system32\drivers\getaroot.sys --> c:\windows\system32\drivers\getaroot.sys [?] S3 plumber.exe;plumber.exe;c:\windows\system32\drivers\plumber.exe.sys [9/4/2009 6:40 PM 34816] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-04-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53] 2009-01-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-16 18:53] . - - - - ORPHANS REMOVED - - - - HKLM-Run-11948004 - c:\documents and settings\All Users\Application Data\11948004\11948004.exe SafeBoot-mfehidk SafeBoot-mferkdk SafeBoot-mfetdik SafeBoot-mfetdik.sys . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/2007/11/18/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-05 10:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe??????????????????????C?w?????????????????????????%??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2376) c:\program files\SiteAdvisor\6253\saHook.dll c:\windows\system32\higawaka.dll c:\windows\system32\fayebuzu.dll c:\windows\system32\yobijowu.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Logitech\Video\FxSvr2.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe . ************************************************************************** . Completion time: 2009-09-05 10:44 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-05 17:44 Pre-Run: 80,401,629,184 bytes free Post-Run: 80,950,607,872 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 250 --- E O F --- 2009-08-26 18:05
  9. RobC
    I've tried the instructions in the "I'm Infected" post, but the infection or rootkit is now blocking just about everything. After a few other attempts to request help, I ended trying Avira's rescue boot which seems to have weakened the infection, because later I was able to do a scan with Avira AV, and quarantined several items- but there's no report showing up. I can't get it to scan again now- I click on "Scan System Now" and there's a pause and nothing happens. --During some of the post-rescue disk attempts at working this attack, I was finally able to install MBAM, but it doesn't do anything when I start it. --The same thing happens with HiJack this --I also tried running Win32kDiag, and it started but seemed to just stop after 15 minutes or so. I was able to run it again but it seems to stop at roughly the same point each time, and never display the "Finished" line. I will post what I have as a report below. --I also tried running DDS, and it may or may not have installed- it never got to the report. --Next I tried RootRepeal, and it was running- then just dissapeared- dialog box and all before I could get a report. I've also had several errors when trying to load it that say: "could not load driver (0xc0000061)!" In all of the above cases, I was only able to install and run the tools by renaming them before I copied them to the PC desktop from a flashdrive. Using the flashdrive to download/save the tool applications from my laptop, then copy to PC is the only way I can get files to the infected computer- after day 1 of the infection, I'd swear it intuitively "knew" is was using IE to try and download tools to fight it. Initially it would redirect IE to what appeared to be google pages, but I would reenter the page I wanted and it eventually loaded. Now any shortcut, bookmark or the IE exe itself, all come up as unrecognizable file types. Another trick, or problem is I get frequent error messages when I try to run or install the tools that say it requires and Adminstrator, which I am. (I've tried to attack this under all the profiles, wife's, me/adminstrator, and guest). From reading the number of posts on here and on MalwareBytes forums, it looks like a lot of people are getting hit with this, or a variant. I'm also getting the rogue "Protection System" balloons and dialogue boxes that keep popping up & have to be closed before I can go back to seeing whatever I had open or running. I've also had it unexpectedly revert back to the user selection interface (still showed programs running under the username I had been working from), and once I received a Windows shutdown message, that I couldn't stop. I am going to try running Root Repeal under a different file name again- I have a notepad file open so i can try to copy what (if anything) I can get in the event that it is shutdown again. Any help or suggestions would be appreciated. Thanks- Rob Some small success here! I have a report from Root Repeal below: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/04 19:33 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: ABP480N5.SYS Image Path: ABP480N5.SYS Address: 0xF7904000 Size: 23552 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xF750D000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: adpu160m.sys Image Path: adpu160m.sys Address: 0xF7494000 Size: 101888 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xF2F42000 Size: 138496 File Visible: - Signed: - Status: - Name: agp440.sys Image Path: agp440.sys Address: 0xF773C000 Size: 42368 File Visible: - Signed: - Status: - Name: agpCPQ.sys Image Path: agpCPQ.sys Address: 0xF776C000 Size: 44928 File Visible: - Signed: - Status: - Name: aha154x.sys Image Path: aha154x.sys Address: 0xF7A54000 Size: 12800 File Visible: - Signed: - Status: - Name: aic78u2.sys Image Path: aic78u2.sys Address: 0xF769C000 Size: 55168 File Visible: - Signed: - Status: - Name: aic78xx.sys Image Path: aic78xx.sys Address: 0xF766C000 Size: 56960 File Visible: - Signed: - Status: - Name: ALCXWDM.SYS Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS Address: 0xF5DD1000 Size: 3644800 File Visible: - Signed: - Status: - Name: aliide.sys Image Path: aliide.sys Address: 0xF7B40000 Size: 5248 File Visible: - Signed: - Status: - Name: alim1541.sys Image Path: alim1541.sys Address: 0xF774C000 Size: 42752 File Visible: - Signed: - Status: - Name: amdagp.sys Image Path: amdagp.sys Address: 0xF775C000 Size: 43008 File Visible: - Signed: - Status: - Name: amsint.sys Image Path: amsint.sys Address: 0xF7A60000 Size: 12032 File Visible: - Signed: - Status: - Name: asc.sys Image Path: asc.sys Address: 0xF78D4000 Size: 26496 File Visible: - Signed: - Status: - Name: asc3350p.sys Image Path: asc3350p.sys Address: 0xF790C000 Size: 22400 File Visible: - Signed: - Status: - Name: asc3550.sys Image Path: asc3550.sys Address: 0xF7A64000 Size: 14848 File Visible: - Signed: - Status: - Name: ASCTRM.SYS Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS Address: 0xF7BD4000 Size: 7488 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF74AD000 Size: 96512 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xF7D46000 Size: 3072 File Visible: - Signed: - Status: - Name: avgio.sys Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys Address: 0xF7BB8000 Size: 6144 File Visible: - Signed: - Status: - Name: avgntflt.sys Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys Address: 0xBA54C000 Size: 81920 File Visible: - Signed: - Status: - Name: avipbb.sys Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Address: 0xF2DFA000 Size: 114688 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF7BA2000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF7A4C000 Size: 12288 File Visible: - Signed: - Status: - Name: cbidf2k.sys Image Path: cbidf2k.sys Address: 0xF7A6C000 Size: 13952 File Visible: - Signed: - Status: - Name: cd20xrnt.sys Image Path: cd20xrnt.sys Address: 0xF7B4A000 Size: 7680 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xB9B14000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF77DC000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF76FC000 Size: 53248 File Visible: - Signed: - Status: - Name: cmdide.sys Image Path: cmdide.sys Address: 0xF7B42000 Size: 6656 File Visible: - Signed: - Status: - Name: cpqarray.sys Image Path: cpqarray.sys Address: 0xF7A50000 Size: 14976 File Visible: - Signed: - Status: - Name: dac2w2k.sys Image Path: dac2w2k.sys Address: 0xF7468000 Size: 179584 File Visible: - Signed: - Status: - Name: dac960nt.sys Image Path: dac960nt.sys Address: 0xF7A5C000 Size: 14720 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF76EC000 Size: 36352 File Visible: - Signed: - Status: - Name: dpti2o.sys Image Path: dpti2o.sys Address: 0xF7914000 Size: 20192 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xF780C000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF2B19000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7BF8000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xF2E5C000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF7C4E000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xF2B31000 Size: 143744 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xF6729000 Size: 44544 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF7448000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF7BA0000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF74DD000 Size: 125056 File Visible: - Signed: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys Address: 0xF72EF000 Size: 9472 File Visible: - Signed: - Status: - Name: getaroot.sys Image Path: C:\WINDOWS\system32\drivers\getaroot.sys Address: 0xB4BA3000 Size: 49152 File Visible: No Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806D0000 Size: 81152 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xF6769000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xF79D4000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xF7B18000 Size: 10368 File Visible: - Signed: - Status: - Name: hpn.sys Image Path: hpn.sys Address: 0xF7924000 Size: 25952 File Visible: - Signed: - Status: - Name: HSF_CNXT.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys Address: 0xF614B000 Size: 685056 File Visible: - Signed: - Status: - Name: HSF_DP.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys Address: 0xF61F3000 Size: 1041536 File Visible: - Signed: - Status: - Name: HSFHWBS2.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys Address: 0xF62F2000 Size: 220032 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xB6F86000 Size: 264832 File Visible: - Signed: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xF7B00000 Size: 8576 File Visible: - Signed: - Status: - Name: i2omp.sys Image Path: i2omp.sys Address: 0xF78E4000 Size: 18560 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xF782C000 Size: 52480 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF77CC000 Size: 42112 File Visible: - Signed: - Status: - Name: ini910u.sys Image Path: ini910u.sys Address: 0xF7A68000 Size: 16000 File Visible: - Signed: - Status: - Name: intelide.sys Image Path: intelide.sys Address: 0xF7B48000 Size: 5504 File Visible: - Signed: - Status: - Name: ipfltdrv.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys Address: 0xF6759000 Size: 32896 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xF2F8C000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xF3429000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF763C000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF7954000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF7B3C000 Size: 8192 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xB3569000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF6328000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF741F000 Size: 92288 File Visible: - Signed: - Status: - Name: mdmxsdk.sys Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys Address: 0xB9194000 Size: 11840 File Visible: - Signed: - Status: - Name: mfeavfk.sys Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys Address: 0xB6EAC000 Size: 73152 File Visible: - Signed: - Status: - Name: mfebopk.sys Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys Address: 0xF79FC000 Size: 28544 File Visible: - Signed: - Status: - Name: mfehidk.sys Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys Address: 0xF2E60000 Size: 207296 File Visible: - Signed: - Status: - Name: mfesmfk.sys Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys Address: 0xB8462000 Size: 33824 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF7BA4000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xF7A44000 Size: 30080 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF7974000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys Address: 0xF7B34000 Size: 12160 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF764C000 Size: 42368 File Visible: - Signed: - Status: - Name: Mpfp.sys Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys Address: 0xF33A9000 Size: 159744 File Visible: - Signed: - Status: - Name: mraid35x.sys Image Path: mraid35x.sys Address: 0xF78DC000 Size: 17280 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xB9AC7000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xF2E93000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF799C000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF72D7000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF6DA0000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF732F000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF7365000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF6DB0000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xBA5A8000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xF5D01000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF72A7000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF6749000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xF2F64000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF79A4000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF7392000 Size: 574976 File Visible: - Signed: - Status: - Name: ntkrnlpa.exe Image Path: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7CB4000 Size: 2944 File Visible: - Signed: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBF012000 Size: 3907584 File Visible: - Signed: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys Address: 0xF6383000 Size: 3493984 File Visible: - Signed: - Status: - Name: NVENETFD.sys Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys Address: 0xF7277000 Size: 34048 File Visible: - Signed: - Status: - Name: nvnetbus.sys Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys Address: 0xF72E7000 Size: 12928 File Visible: - Signed: - Status: - Name: NVNRM.SYS Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS Address: 0xF5D63000 Size: 303104 File Visible: - Signed: - Status: - Name: NVSNPU.SYS Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS Address: 0xF5D2C000 Size: 225280 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xF5D18000 Size: 80128 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF78C4000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF74FC000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7C04000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF78BC000 Size: 28672 File Visible: - Signed: - Status: - Name: perc2.sys Image Path: perc2.sys Address: 0xF791C000 Size: 27296 File Visible: - Signed: - Status: - Name: perc2hib.sys Image Path: perc2hib.sys Address: 0xF7B4C000 Size: 5504 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xF5DAD000 Size: 147456 File Visible: - Signed: - Status: - Name: processr.sys Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys Address: 0xF77BC000 Size: 35840 File Visible: - Signed: - Status: - Name: prodrv06.sys Image Path: C:\WINDOWS\System32\drivers\prodrv06.sys Address: 0xF2F03000 Size: 79488 File Visible: - Signed: - Status: - Name: prohlp02.sys Image Path: prohlp02.sys Address: 0xF7349000 Size: 111808 File Visible: - Signed: - Status: - Name: prosync1.sys Image Path: prosync1.sys Address: 0xF7B50000 Size: 6944 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xF5CF0000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF7964000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF770C000 Size: 35712 File Visible: - Signed: - Status: - Name: ql1080.sys Image Path: ql1080.sys Address: 0xF76BC000 Size: 40320 File Visible: - Signed: - Status: - Name: ql10wnt.sys Image Path: ql10wnt.sys Address: 0xF767C000 Size: 33152 File Visible: - Signed: - Status: - Name: ql12160.sys Image Path: ql12160.sys Address: 0xF76DC000 Size: 45312 File Visible: - Signed: - Status: - Name: ql1240.sys Image Path: ql1240.sys Address: 0xF768C000 Size: 40448 File Visible: - Signed: - Status: - Name: ql1280.sys Image Path: ql1280.sys Address: 0xF76CC000 Size: 49024 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xF7B04000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF788C000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF789C000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF78AC000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF796C000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xF2F17000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF7BA6000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF77EC000 Size: 57600 File Visible: - Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS Address: 0xF74C5000 Size: 98304 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xF7AE0000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xF781C000 Size: 64512 File Visible: - Signed: - Status: - Name: sfhlp01.sys Image Path: sfhlp01.sys Address: 0xF7B4E000 Size: 4832 File Visible: - Signed: - Status: - Name: sisagp.sys Image Path: sisagp.sys Address: 0xF771C000 Size: 40960 File Visible: - Signed: - Status: - Name: sparrow.sys Image Path: sparrow.sys Address: 0xF78CC000 Size: 19072 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF7436000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xB9448000 Size: 333952 File Visible: - Signed: - Status: - Name: ssmdrv.sys Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys Address: 0xF79DC000 Size: 23040 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF7B94000 Size: 4352 File Visible: - Signed: - Status: - Name: sym_hi.sys Image Path: sym_hi.sys Address: 0xF78F4000 Size: 28384 File Visible: - Signed: - Status: - Name: sym_u3.sys Image Path: sym_u3.sys Address: 0xF78FC000 Size: 30688 File Visible: - Signed: - Status: - Name: symc810.sys Image Path: symc810.sys Address: 0xF7A58000 Size: 16256 File Visible: - Signed: - Status: - Name: symc8xx.sys Image Path: symc8xx.sys Address: 0xF78EC000 Size: 32640 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xF6709000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xF33D0000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF795C000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF72C7000 Size: 40704 File Visible: - Signed: - Status: - Name: toside.sys Image Path: toside.sys Address: 0xF7B44000 Size: 4992 File Visible: - Signed: - Status: - Name: ultra.sys Image Path: ultra.sys Address: 0xF76AC000 Size: 36736 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xF5C92000 Size: 384768 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF7B9A000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF7A3C000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF7297000 Size: 59520 File Visible: - Signed: - Status: - Name: usbohci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys Address: 0xF7A34000 Size: 17152 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xF634B000 Size: 147456 File Visible: - Signed: - Status: - Name: USBSTOR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xF79E4000 Size: 26368 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF7994000 Size: 20992 File Visible: - Signed: - Status: - Name: viaagp.sys Image Path: viaagp.sys Address: 0xF772C000 Size: 42240 File Visible: - Signed: - Status: - Name: viaide.sys Image Path: viaide.sys Address: 0xF7B46000 Size: 5376 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xF636F000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF765C000 Size: 52352 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xF779C000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF2DBA000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xB999A000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys:1 Image Path: C:\WINDOWS\win32k.sys:1 Address: 0xF79AC000 Size: 20480 File Visible: No Signed: - Status: - Name: win32k.sys:2 Image Path: C:\WINDOWS\win32k.sys:2 Address: 0xF7247000 Size: 61440 File Visible: No Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xF7B3E000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2066048 File Visible: - Signed: - Status: -
  10. RobC
    I have been fighting a serious infection all week. As I had posted earlier - my wife's PC is infected with what appear to be several problems, one of which is a fake protection system. I tried following the instructions from the "I'm Infected" post, but nothing was able to load- I even tried renaming MalwareBytes MBAM, HJT but nothing worked. I made some progress this morning with running a rescure boot CD from Avira, and after it finished I was able to start the PC, and use the guest account. The regular accounts for my wife and I kept locking up. Avira is scanning (for now) and detected some trojan files in c:\Windows\system32\wscsvc32.exe- it is asking me whether to Move to quarantine, Delete, rename, or ignore- I can't see the benefit to the last two choices, so quarantine or delete? For the Avira rescue boot CD- did it write the log to the CD, if so where? Can I retrieve it on my (uninfected) laptop in order to post it here? Thanks Rob
  11. RobC
    Sorry if that was a forum no-no, I was under the impression that a different sorts of moderator/advisors worked different parts of the forum, hence the multiple posts in different areas. My intent was to get as broad a spectrum as possible for reviewing and input on the overall problem I'm having. Since I can even install and run HJT in order to post a log in that section, I thought I should post the problem here. This is one bear of an infection that has basically rendered my wife's computer into a useless box that sucks electricity.
  12. RobC
    My wife's computer is infected with a very aggressive virus (possibly a new TDSS variant...) that has defeated the original McAfee virus protection and all system guards. All of the security tools have been disabled now, as well as Internet Explorer. Per the instructions in the "I'm Infected" forum posting- I tried installing and using Malwarebytes Anti-Malware MBAM tools, and also installing and running Avira Anti Virus. The infection is blocking the installation of MBAM (also posts a ballon), but I had been successful with loading Avira AV- but then it was quickly blocked and can't be accessed again. The saved log from Avira has dissappeared. I'm not sure if it helps but I was watching the Avira scan progress closely (in hopes it would be successful) and noted some of the detections it registered: HTML/Malicious.PDF.gen TR/Dldr.Fraud.Lo.sxm ADSPY/AltnetB.4 This may be an ignorant question, but does Avira not quarantine or remove the malware it detects? Maybe I missed something on the program interface, but couldn't find that option, which is dissapointing since it was so difficult getting it to run because of the infection. I had also had some Eldycow files show up when I ran Yahoo CA Anti-Spy- one of the few programs I was able to run before being totally blocked. They should have been quarantined and removed if Anti-Spy worked. I haven't had any luck opening or running any removal tools, can't get HiJackThis to open and install, and now cannot even open Internet Explorer (all associated shortcuts that use IE now show as an unexecutable file type). A rogue program calling itself "Protection System" is continually posting pop-up or fake security balloon messages that bog down the system while trying to work with the computer. I posted this problem on the BartPE forum [http://www.nu2.nu/pebuilder/ ] and asked if there was any way to run the removal tools from a boot disk or command prompt, hoping I could beat the virus without running Windows. I'm not a tech expert but have a basic knowledge, and can catch on fairly quick- I'm just a little lost on how to begin. I want to make a BartPE (or other utility) CD-Rom that will allow me to install and run MBAM and removal tools, but I have a problem- I am not sure where the Windows XP disk for my wife's computer is, and my laptop uses Vista so I don't know how to proceed. I'm sure the windows installation files are somewhere on my wife's computer- I just don't know the exact file path, and the infection makes it hard to work in Windows without pop-ups and blocked access by the virus program. How can I build a clean Boot CD, or PE CD that will allow me to install and run the Malware removal tools in a PE environment or some other work-around? Thanks, Rob
  13. RobC
    My wife's computer is infected with a very aggressive virus (possibly a new TDSS variant...) that has defeated the original McAfee virus protection and all system guards. All of the security tools have been disabled now, as well as Internet Explorer. Per the instructions in the "I'm Infected" forum posting- I tried installing and using Malwarebytes Anti-Malware MBAM tools, and also installing and running Avira Anti Virus. The infection is blocking the installation of MBAM (also posts a ballon), but I had been successful with loading Avira AV- but then it was quickly blocked and can't be accessed again. The saved log from Avira has dissappeared. I'm not sure if it helps but I was watching the Avira scan progress closely (in hopes it would be successful) and noted some of the detections it registered: HTML/Malicious.PDF.gen TR/Dldr.Fraud.Lo.sxm ADSPY/AltnetB.4 This may be an ignorant question, but does Avira not quarantine or remove the malware it detects? Maybe I missed something on the program interface, but couldn't find that option, which is dissapointing since it was so difficult getting it to run because of the infection. I had also had some Eldycow files show up when I ran Yahoo CA Anti-Spy- one of the few programs I was able to run before being totally blocked. They should have been quarantined and removed if Anti-Spy worked. I haven't had any luck opening or running any removal tools, can't get HiJackThis to open and install, and now cannot even open Internet Explorer (all associated shortcuts that use IE now show as an unexecutable file type). A rogue program calling itself "Protection System" is continually posting pop-up or fake security balloon messages that bog down the system while trying to work with the computer. I posted this problem on the BartPE forum [http://www.nu2.nu/pebuilder/ ] and asked if there was any way to run the removal tools from a boot disk or command prompt, hoping I could beat the virus without running Windows. I'm not a tech expert but have a basic knowledge, and can catch on fairly quick- I'm just a little lost on how to begin. I want to make a BartPE (or other utility) CD-Rom that will allow me to install and run MBAM and removal tools, but I have a problem- I am not sure where the Windows XP disk for my wife's computer is, and my laptop uses Vista so I don't know how to proceed. I'm sure the windows installation files are somewhere on my wife's computer- I just don't know the exact file path, and the infection makes it hard to work in Windows without pop-ups and blocked access by the virus program. How can I build a clean Boot CD, or PE CD that will allow me to install and run the Malware removal tools in a PE environment or some other work-around? Thanks, Rob
  14. RobC
    Hello! I need help!!! I've been trying for two days to recover our computer and haven't had any real success. My wife was browsing and printing or downloding from a website that contained malware. We have McAfee and a couple of other anit-spyware tools installed on our computer, but apparently at some point the Site Advisor and other active systems were disabled on her profile. We are running Windows XP. I primarily use my laptop so I can't even say for sure when an AV update and scan was done- not that it matters at this point. I was able to find out that one of the main culprits currently attacking her computer is a rogue program that calls itself "Protection System" and displays a shield which resembles the Windows devices. This thing has proven to be a real aggresive pain. It is preventing or disabling McAfee; for example when I try to do a scan or quickscan- it only gets to about 7% complete before I get an error message saying it is unable to update scan progress and needs to close. I also attempted to use "Full Service Scan", Windows Defender, and Windows Live Onecare, unfortunately none of these have worked- They are either blocked from running with an error message that says they must be ran with Adminstrator privledges (which I have), or they freeze while scanning and the window they are running in dissapears. I'm sure the rogue Protection System has something to do with this, since it is continuously displaying ballons or pop-up boxes while I attempt to run the scan and removal programs. I also noticed these boxes don't appear on the toolbar like traditional dialogue or pop-ups do. I did have one small success, I had Yahoo CA Anti-Spy on my toolbar and on a fluke was able to get it to update and run a Quickscan. In addition to the expected collection of tracking cookies and a few extra suspicous looking cookies, there were three items listed as "eldycow" files- which I knew to be a virus/trojan so I clicked remove. Since I can't run a McAfee or other scan- I have no way of knowing if they were removed, or what else is lurking in the registry or elsewhere. The point to all of this is that after doing a search for info on the "Protection System" malware; I read several references that said Malwarebytes Anti-Malware would remove it. I downloaded some instructions found on BleepingComputer and then came here for more information. I need to know how to ensure that I successfully attack this problem. The infection seems to have blocked all other attemps to install and run other removal programs, and has made it almost impossible to use IE to navigate to a desired webpage to even access the downloads. (IE seems to have been hijacked as well-) And ask also what should probably be a thead of its own- what anti-virus, spyware, malware and browsing protection systems can I use in the future that: 1. Are generally reliable (I've givien up on anything above a 40-50% effecitve rating) 2. The combination of protection programs can run simultaneously without completely degrading system and other application performance 3. and lastly- display easily understood threat detection and user action messages that my wife can understand and use. (She admits being naive and ignorant, as well as a bit careless) Thanks, Rob
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.