Jump to content

Steve Pierce

Honorary Members
 View Profile  See their activity

  • Posts

    26

  • Joined

  • Last visited

 Content Type 

Everything posted by Steve Pierce

  1. Steve Pierce
    Fix worked, thanks. Perhaps MBAM could detect when F-Secure is running and post a note about how to fix this. I spent a long night testing, installing, reinstalling, removing, and more along with documenting everything before I submitted a ticket. Thanks again - Steve
  2. Steve Pierce
    The MBAM service is running Window 8.1 I tried running install, that failed. I ran the MBAM removal tool, that appears to work, it tells me to reboot, when I reboot, MBAM is still there. Running MBAM uninstall from Control Panel does not work Client was recently scammed by Microsoft tech virus. Called 800 number, permitted remote control, thought better of it and disconnected and immediately powered down computer. I ran AVG Rescue CD from bootable USB. Found search.me and adware. Installed and Ran malwarebytes, found similar problem but no virus' or trojans. Removed all suspect files found by AVG and MBAM However Now getting Cannot Connect to Service when MBAM starts and suspecting something more serious is wrong mb-check-results.zip
  3. Steve Pierce
    What do I do about defogger. We didn't undo any of the changes it made.
  4. Steve Pierce
    I think we are good to go. Thanks! - Steve
  5. Steve Pierce
    Yes, MSSE came back clean scanning both C and E Drive.
  6. Steve Pierce
    Malwarebytes completed its scan. Found another file. Cleaned and removed it. Rebooted and re-ran Malwarebytes and it finished clean this morning. Rebooted. Security Essentials was able to run and successfully update. First time that has worked in a while. MSSE is running now. We will post results. File found was ccun.dat in /document and settings/liz/localsettings/temp/ccun.dat AVG said it was Trojan Horse PSW.Generic 7.ccdy. Problem was found using AVG Rescue CD and booting from the CD. Scan was slow, took about 4 hours but found the file. We renamed, rebooted then deleted the file. We then found the registry entry and removed it as well. It was in Drivers32/midi9 and the file was called with a command ccun.dat 2yAPFDOFNF. Removed the registry entry, scanned for any other occurences, emptied the trash and then rebooted. Success.
  7. Steve Pierce
    Success, I found the offending file. I will send details in a bit.
  8. Steve Pierce
    www.virustotal.com results: c:\program files\HB20100302203045.bkp 17MB file This is a file used with a database and this is a backup file. Results 0/41 0% hits http://www.virustotal.com/analisis/a802801...b067-1274821905 c:\program files\powsetup.exe 8.51MB Order processing system Results 0/41 0% http://www.virustotal.com/analisis/172148b...8026-1274822230 I don't think either of these files are infected.
  9. Steve Pierce
    MBAM still does not run. It opens and closes immediately.
  10. Steve Pierce
    Yes I chastised the owner as well for installing AVG without telling me. It got put on without my knowing about it. I put a sign on the computer, not to be touched except by me, that should stop this from happening again. - Steve
  11. Steve Pierce
    ComboFix 10-05-24.07 - Liz 05/25/2010 12:11:08.5.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.174 [GMT -6:00] Running from: c:\steve\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 ))))))))))))))))))))))))))))))) . 2010-05-25 05:44 . 2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-25 05:44 . 2010-05-25 05:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-25 05:43 . 2010-05-25 05:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-25 05:43 . 2010-05-25 05:43 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\windows\system32\drivers\Avg 2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-05-25 05:36 . 2010-05-25 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-05-24 22:59 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-24 22:59 . 2010-05-24 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-24 22:59 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache 2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials 2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve 2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro 2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF 2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes 2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG 2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp 2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe 2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip 2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe . ((((((((((((((((((((((((((((( SnapShot_2010-05-24_20.58.59 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll + 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll + 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll + 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll + 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll + 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll + 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll + 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll + 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll + 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll + 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll + 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll + 2010-05-25 05:36 . 2010-05-25 05:36 424448 c:\windows\Installer\2ad7b9.msi + 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll + 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2010-04-19 16:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "nwiz"="nwiz.exe" [2002-07-16 372736] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Previews on Windows\\rteng6.exe"= "c:\\Program Files\\Previews on Windows\\preorder.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2010 11:43 PM 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2010 11:44 PM 242896] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/24/2010 11:36 PM 308064] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856] R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/24/2010 11:43 PM 430152] --- Other Services/Drivers In Memory --- *NewlyCreated* - AVG9WD *NewlyCreated* - AVGLDX86 *NewlyCreated* - AVGMFX86 . Contents of the 'Scheduled Tasks' folder 2010-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job - c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23] 2010-05-25 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] 2010-05-25 c:\windows\Tasks\MpIdleTask.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02] 2010-05-25 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02] . . ------- Supplementary Scan ------- . uStart Page = hxxp://dons.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-25 12:21 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(552) c:\windows\system32\wininet.dll c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2010-05-25 12:24:52 ComboFix-quarantined-files.txt 2010-05-25 18:24 ComboFix2.txt 2010-05-24 22:25 ComboFix3.txt 2010-05-24 21:02 ComboFix4.txt 2010-05-22 20:13 ComboFix5.txt 2010-05-25 18:09 Pre-Run: 7,496,663,040 bytes free Post-Run: 7,528,448,000 bytes free - - End Of File - - 6346CD006B94E3F751F68A588CD98DF0
  12. Steve Pierce
    Ran mbr.exe. The program didn't prompt me for any questions. It launched a quick DOS box and closed. Here is the log file. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK
  13. Steve Pierce
    Rootrepeal is still showing an MBR on the E drive. Rootkitbuster from Trend will not run. MBAM will not run. HiJackThis does work.
  14. Steve Pierce
    OK MSSE is now loading after a reboot. I am still having problems with DNS redirect. MSSE and WindowsUpdate will not update. I added the exclusions to MSSE and then rebooted. MBAM loads, I see the screen for about 2 seconds and then it closes.
  15. Steve Pierce
    Sadly, no joy. MBAM still starts and immediately closes. A new problem is now when I start MSSE, it closes immediately as well. So I can't add the exclusions in MSSE for MBAM. - Steve
  16. Steve Pierce
    MBAM still doesn't load and I still have real-time scanning turned off.
  17. Steve Pierce
    After reboot started, Combo-fix restarted. A program, SecurDisc also loaded, unsure if that is part of Combo-fix. Then it says Combofix needs to submit malware for further analysis. Here is the log file. ComboFix 10-05-24.03 - Liz 05/24/2010 15:53:06.4.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.188 [GMT -6:00] Running from: F:\Combo-Fix.exe Command switches used :: F:\cfscript.txt AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} file zipped: c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-05-24 21:48 . 2010-05-25 09:40 -------- d-----w- C:\32788R22FWJFW 2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache 2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials 2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve 2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro 2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE 2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF 2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes 2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG 2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp 2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe 2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip 2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "nwiz"="nwiz.exe" [2002-07-16 372736] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Previews on Windows\\rteng6.exe"= "c:\\Program Files\\Previews on Windows\\preorder.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856] R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280] . Contents of the 'Scheduled Tasks' folder 2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job - c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23] 2010-05-24 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] 2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53] 2010-05-24 c:\windows\Tasks\MpIdleTask.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02] 2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02] . . ------- Supplementary Scan ------- . uStart Page = hxxp://dons.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-24 16:12 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(560) c:\windows\system32\wininet.dll c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'explorer.exe'(3488) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\program files\Nero\Nero 7\InCD\InCDsrv.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\System32\nvsvc32.exe c:\windows\System32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe c:\program files\LogMeIn\x86\LMIGuardian.exe . ************************************************************************** . Completion time: 2010-05-24 16:22:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-24 22:22 ComboFix2.txt 2010-05-24 21:02 ComboFix3.txt 2010-05-22 20:13 ComboFix4.txt 2010-05-22 18:43 Pre-Run: 7,901,478,912 bytes free Post-Run: 7,865,499,648 bytes free - - End Of File - - BBF61B39233E4069E82358992F241D7A Upload was successful
  18. Steve Pierce
    Ran script. During Combo-fix, computer suddenly executed a shut down and froze. Do you want me to re-run the script?
  19. Steve Pierce
    File results from VirusTotal http://www.virustotal.com/analisis/351cbf2...812c-1273433291
  20. Steve Pierce
    File upload with Google Chrone wouldn't work. Uploaded with IE and it worked. Cheers! - Steve
  21. Steve Pierce
    OK, file has been uploaded but the web page threw an error after uploading.
  22. Steve Pierce
    Here is the combo-fix report you requested. ComboFix 10-05-24.03 - Liz 05/24/2010 14:49:40.3.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -6:00] Running from: F:\Combo-Fix.exe AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth 2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate 2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations 2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache 2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials 2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve 2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro 2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE 2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft 2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF 2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes 2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG 2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp 2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe 2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip 2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe . ((((((((((((((((((((((((((((( SnapShot@2010-05-22_18.39.52 ))))))))))))))))))))))))))))))))))))))))) . + 2008-07-29 14:05 . 2008-07-29 14:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll + 2008-07-29 14:05 . 2008-07-29 14:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll + 2008-07-29 14:05 . 2008-07-29 14:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll + 2008-07-29 14:05 . 2008-07-29 14:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll + 2008-07-29 14:05 . 2008-07-29 14:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll + 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll + 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll + 2008-07-29 14:05 . 2008-07-29 14:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll + 2008-07-29 14:05 . 2008-07-29 14:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll + 2008-07-29 14:05 . 2008-07-29 14:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll + 2008-07-29 14:05 . 2008-07-29 14:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll + 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll + 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll + 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll + 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll + 2010-05-22 21:34 . 2010-02-04 15:53 64288 c:\windows\system32\DRVSTORE\lbd_B425E86B28F27CC7F4A0CAF275F9F2789F3C6909\Lbd.sys + 2003-06-30 07:13 . 2010-05-24 06:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2003-06-30 07:13 . 2008-12-29 18:06 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2003-06-30 07:13 . 2010-05-24 06:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2003-06-30 07:13 . 2008-12-29 18:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2003-06-30 07:13 . 2008-12-29 18:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2010-05-24 06:34 . 2010-05-24 06:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2010-05-22 21:33 . 2010-05-22 21:33 29926 c:\windows\Installer\{338F08AB-C262-42C7-B000-34DE1A475273}\_6FEFF9B68218417F98F549.exe + 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe + 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe + 2010-05-24 01:29 . 2010-05-24 01:29 50512 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe + 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\ARPPRODUCTICON.exe + 2008-07-29 14:05 . 2008-07-29 14:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll + 2008-07-29 09:54 . 2008-07-29 09:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll + 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll + 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll + 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll + 2008-07-29 14:05 . 2008-07-29 14:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll + 2008-07-29 14:05 . 2008-07-29 14:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll + 2008-07-29 09:54 . 2008-07-29 09:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll + 2008-07-29 14:05 . 2008-07-29 14:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll + 2009-12-02 21:23 . 2009-12-02 21:23 149040 c:\windows\system32\drivers\MpFilter.sys + 2010-05-24 01:11 . 2010-05-24 01:12 272384 c:\windows\Installer\9b1ae.msi + 2010-05-24 01:11 . 2010-05-24 01:11 254976 c:\windows\Installer\9b1a8.msi + 2010-05-24 01:11 . 2010-05-24 01:11 301056 c:\windows\Installer\9b1a2.msi + 2010-05-22 21:33 . 2010-05-22 21:33 167424 c:\windows\Installer\96f029.msi + 2010-05-22 21:33 . 2010-05-22 21:33 236032 c:\windows\Installer\96f01b.msi + 2008-07-29 14:05 . 2008-07-29 14:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll + 2008-07-29 14:05 . 2008-07-29 14:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll + 2008-07-29 14:05 . 2008-07-29 14:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll + 2008-07-29 14:05 . 2008-07-29 14:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll + 2008-07-29 14:05 . 2008-07-29 14:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll + 2010-05-24 01:29 . 2010-05-24 01:29 3668992 c:\windows\Installer\9b412.msi + 2010-05-22 21:33 . 2010-05-22 21:33 1859072 c:\windows\Installer\96f024.msi + 2005-09-18 18:39 . 2010-04-30 17:51 32058312 c:\windows\system32\MRT.exe - 2005-09-18 18:39 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="NvQTwk" [X] "nwiz"="nwiz.exe" [2002-07-16 372736] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] "InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Reboot.exe [2002-3-20 382464] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Previews on Windows\\rteng6.exe"= "c:\\Program Files\\Previews on Windows\\preorder.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856] R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP141 . Contents of the 'Scheduled Tasks' folder 2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job - c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23] 2010-05-24 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07] 2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://dons.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-24 14:58 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(556) c:\windows\system32\wininet.dll c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'explorer.exe'(532) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-05-24 15:02:25 ComboFix-quarantined-files.txt 2010-05-24 21:02 ComboFix2.txt 2010-05-22 20:13 ComboFix3.txt 2010-05-22 18:43 Pre-Run: 7,738,195,968 bytes free Post-Run: 7,882,997,760 bytes free - - End Of File - - C858E7682DFDFA77A8CF34A60AC724D6
  23. Steve Pierce
    Success, I rebooted and ran rootrepeal and here is the report and the latest DDS report ROOTREPEAL © AD, 2007-2010 ================================================== Report Save Time: 2010/05/24 14:15 Program Version: Version 2.0.0.0 Windows Version: Windows XP SP3 ================================================== DRIVERS ------------------- File Invisible dump_atapi.sys 0xeefe4000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes File Invisible dump_WMILIB.SYS 0xf8c4e000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes File Invisible rootrepeal.sys 0xede87000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes PROCESSES ------------------- 4 - System 172 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSSECES.EXE 180 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE 184 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\FREEAGENT STATUS\STXMENUMGR.EXE 236 - C:\WINDOWS\SYSTEM32\CTFMON.EXE 248 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE 448 - C:\WINDOWS\SYSTEM32\SMSS.EXE 476 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 516 - C:\WINDOWS\SYSTEM32\CSRSS.EXE 556 - C:\WINDOWS\SYSTEM32\WINLOGON.EXE 612 - C:\WINDOWS\SYSTEM32\SERVICES.EXE 624 - C:\WINDOWS\SYSTEM32\LSASS.EXE 792 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 880 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEIN.EXE 928 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 1004 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSMPENG.EXE 1144 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\SYNC\FREEAGENTSERVICE.EXE 1180 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 1376 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCDSRV.EXE 1384 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 1436 - C:\WINDOWS\EXPLORER.EXE 1492 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE 1540 - C:\PROGRAM FILES\LOGMEIN\X86\RAMAINT.EXE 1628 - C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE 1760 - C:\WINDOWS\SYSTEM32\SPOOLSV.EXE 1944 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEINSYSTRAY.EXE 1956 - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S0EIC1.EXE 1976 - C:\PROGRAM FILES\NERO\NERO 7\INCD\NBHGUI.EXE 2040 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCD.EXE 2104 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE 2132 - C:\WINDOWS\SYSTEM32\NVSVC32.EXE 2392 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE 2912 - C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE 3120 - C:\WINDOWS\SYSTEM32\ALG.EXE 3128 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 3348 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 3612 - F:\RootRepeal.exe 4016 - C:\Program Files\Lavasoft\Ad-Aware\ThreatWork.exe FILES ------------------- Mismatch C:\WINDOWS\TEMP\MpCmdRun.log, Size mismatch (API: 524288, Raw: 148062) Sector E:\ Sector E:\ MBR E:\ STEALTH CODE ------------------- HIDDEN SERVICES ------------------- SSDT ------------------- SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK NtCreateKey Lbd.sys 0xf878687e NtSetValueKey Lbd.sys 0xf8786bfe SHADOW SSDT ------------------- CALLBACKS ------------------- ***************************************************************** DDS (Ver_10-03-17.01) - FAT32x86 Run by Liz at 14:32:41.40 on Mon 05/24/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.157 [GMT -6:00] AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE C:\Program Files\Microsoft Security Essentials\MsMpEng.exe SVCHOST.EXE C:\WINDOWS\Explorer.EXE SVCHOST.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe SVCHOST.EXE C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\wuauclt.exe F:\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://dons.com/ uInternet Connection Wizard,ShellNext = iexplore TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize mRun: [nwiz] nwiz.exe /install mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-22 64288] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-17 47640] R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-10-28 177280] S4 LMIRfsClientNP;LMIRfsClientNP; [x] =============== Created Last 30 ================ 2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable 2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate 2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate 2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache 2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials 2010-05-23 18:27:56 0 d-----w- C:\Steve 2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro 2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft 2010-05-22 20:27:16 0 d-sh--w- C:\Recycled 2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons 2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe 2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe 2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe 2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe 2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl 2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt 2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF 2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes 2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG 2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp 2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe 2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip 2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe ============= FINISH: 14:33:55.69 ===============
  24. Steve Pierce
    Renamed file and rebooted. mbam (now firefox.exe) will still not run. ProcExp shows firefox.exe starting and then it closes about 15 seconds later. No window appears before it closes. The rootrepeal you linked to is far different and smaller than the one I had already downloaded. When I run it it runs fine. I go to save the report file and it crashes and I get a rootrepeal.dmp and nothing is saved in the log file. If I run the rootrepeal from Aug 2009, I get an error saying it couldn't read the boot sector. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/24 14:04 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEEFE4000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8C4E000 Size: 8192 File Visible: No Signed: - Status: - Name: PROCEXP141.SYS Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS Address: 0xEDC6E000 Size: 9600 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEE546000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\NetworkService\ntuser.dat.LOG Status: Size mismatch (API: 1024, Raw: 12288) Path: C:\Documents and Settings\Administrator\ntuser.dat.LOG Status: Size mismatch (API: 1024, Raw: 8192) Path: C:\Documents and Settings\Liz\ntuser.dat.LOG Status: Allocation size mismatch (API: 163840, Raw: 32768) Path: C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG Status: Size mismatch (API: 1024, Raw: 12288) Path: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Status: Size mismatch (API: 1024, Raw: 61440) Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Status: Allocation size mismatch (API: 65536, Raw: 32768) Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\MPLog-05232010-191157.log Status: Allocation size mismatch (API: 1441792, Raw: 458752) Path: Volume E:\ Status: MBR Rootkit Detected! Path: Volume E:\, Sector 1 Status: Sector mismatch Path: Volume E:\, Sector 2 Status: Sector mismatch Path: Volume E:\, Sector 3 Status: Sector mismatch Path: Volume E:\, Sector 4 Status: Sector mismatch Path: Volume E:\, Sector 5 Status: Sector mismatch Path: Volume E:\, Sector 6 Status: Sector mismatch Path: Volume E:\, Sector 7 Status: Sector mismatch Path: Volume E:\, Sector 8 Status: Sector mismatch Path: Volume E:\, Sector 9 Status: Sector mismatch Path: Volume E:\, Sector 10 Status: Sector mismatch Path: Volume E:\, Sector 11 Status: Sector mismatch Path: Volume E:\, Sector 12 Status: Sector mismatch Path: Volume E:\, Sector 13 Status: Sector mismatch Path: Volume E:\, Sector 14 Status: Sector mismatch Path: Volume E:\, Sector 15 Status: Sector mismatch Path: Volume E:\, Sector 16 Status: Sector mismatch Path: Volume E:\, Sector 17 Status: Sector mismatch Path: Volume E:\, Sector 18 Status: Sector mismatch Path: Volume E:\, Sector 19 Status: Sector mismatch Path: Volume E:\, Sector 20 Status: Sector mismatch Path: Volume E:\, Sector 21 Status: Sector mismatch Path: Volume E:\, Sector 22 Status: Sector mismatch Path: Volume E:\, Sector 23 Status: Sector mismatch Path: Volume E:\, Sector 24 Status: Sector mismatch Path: Volume E:\, Sector 25 Status: Sector mismatch Path: Volume E:\, Sector 26 Status: Sector mismatch Path: Volume E:\, Sector 27 Status: Sector mismatch Path: Volume E:\, Sector 28 Status: Sector mismatch Path: Volume E:\, Sector 29 Status: Sector mismatch Path: Volume E:\, Sector 30 Status: Sector mismatch Path: Volume E:\, Sector 31 Status: Sector mismatch Path: Volume E:\, Sector 32 Status: Sector mismatch Path: Volume E:\, Sector 33 Status: Sector mismatch Path: Volume E:\, Sector 34 Status: Sector mismatch Path: Volume E:\, Sector 35 Status: Sector mismatch Path: Volume E:\, Sector 36 Status: Sector mismatch Path: Volume E:\, Sector 37 Status: Sector mismatch Path: Volume E:\, Sector 38 Status: Sector mismatch Path: Volume E:\, Sector 39 Status: Sector mismatch Path: Volume E:\, Sector 40 Status: Sector mismatch Path: Volume E:\, Sector 41 Status: Sector mismatch Path: Volume E:\, Sector 42 Status: Sector mismatch Path: Volume E:\, Sector 43 Status: Sector mismatch Path: Volume E:\, Sector 44 Status: Sector mismatch Path: Volume E:\, Sector 45 Status: Sector mismatch Path: Volume E:\, Sector 46 Status: Sector mismatch Path: Volume E:\, Sector 47 Status: Sector mismatch Path: Volume E:\, Sector 48 Status: Sector mismatch Path: Volume E:\, Sector 49 Status: Sector mismatch Path: Volume E:\, Sector 50 Status: Sector mismatch Path: Volume E:\, Sector 51 Status: Sector mismatch Path: Volume E:\, Sector 52 Status: Sector mismatch Path: Volume E:\, Sector 53 Status: Sector mismatch Path: Volume E:\, Sector 54 Status: Sector mismatch Path: Volume E:\, Sector 55 Status: Sector mismatch Path: Volume E:\, Sector 56 Status: Sector mismatch Path: Volume E:\, Sector 57 Status: Sector mismatch Path: Volume E:\, Sector 58 Status: Sector mismatch Path: Volume E:\, Sector 59 Status: Sector mismatch Path: Volume E:\, Sector 60 Status: Sector mismatch Path: Volume E:\, Sector 61 Status: Sector mismatch Path: Volume E:\, Sector 62 Status: Sector mismatch SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "Lbd.sys" at address 0xf878687e #: 247 Function Name: NtSetValueKey Status: Hooked by "Lbd.sys" at address 0xf8786bfe ==EOF==
  25. Steve Pierce
    Here is the DDS file. The attachment only has the attach.txt. When I try to run the gmer it either crashes or after scanning for a bit, I get a services messages that a reboot is happening in 59 seconds. DDS (Ver_10-03-17.01) - FAT32x86 Run by Liz at 11:41:32.98 on Mon 05/24/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.110 [GMT -6:00] AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE C:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs SVCHOST.EXE C:\WINDOWS\Explorer.EXE SVCHOST.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe SVCHOST.EXE C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Liz\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://dons.com/ uInternet Connection Wizard,ShellNext = iexplore TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize mRun: [nwiz] nwiz.exe /install mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE mPolicies-explorer: NoActiveDesktop = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable 2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate 2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate 2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache 2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials 2010-05-23 18:27:56 0 d-----w- C:\Steve 2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro 2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft 2010-05-22 20:27:16 0 d-sh--w- C:\Recycled 2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons 2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe 2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe 2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe 2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe 2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl 2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt 2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF 2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes 2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll 2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG 2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp 2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe 2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip 2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe ============= FINISH: 11:43:27.73 =============== attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.