Jump to content

QuakemanJake

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

 Content Type 

Everything posted by QuakemanJake

  1. QuakemanJake
    Google is redirecting on a different computer I have. I ran the latest malwarebytes quick scan and ended up with a few objects infected, one of which is listed as a rootkit. Upon rebooting after scanning, the problems persist. Below is the raw text of the malwarebytes scan: _______________________________________________________________ Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.07.04.06 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Warren :: Computer [administrator] Protection: Enabled 7/4/2012 8:31:40 PM mbam-log-2012-07-04 (20-40-08).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 219872 Time elapsed: 8 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 1 C:\Windows\System32\websensecamserver.dll (RootKit.0Access.H) -> No action taken. Registry Keys Detected: 3 HKCR\sp (TrojanProxy.Agent) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken. HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken. Registry Values Detected: 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\websensecamserver.dll (RootKit.0Access.H) -> No action taken. (end) Attach.txt DDS.txt
  2. QuakemanJake
    Thank you very much for your help, sir! I will be purchasing MalwareBytes in order to support your efforts and the efforts of the contributors to this forum. Keep up the outstanding work, and thanks again. I am already in the process of "hardening" this computer.
  3. QuakemanJake
    I should add that the computer does not appear to be acting strangely. I took my computer speakers off mute to see if I could hear any ads that were seemingly sounding out of nowhere, but so far I have noticed nothing. Is it okay for me to re-enable my AV?
  4. QuakemanJake
    Ok, ran the ATFCleaner and got rid of a bunch of temp files. I began to run ComboFix and the blue screen came up, shortly after I was notified that I my volsnap.sys file was patched with a rootkit and ComboFix would attempt to fix. I clicked OK and after a moment the program said something to the effect of "Rootkit presence detected, the machine needs to be rebooted." I allowed it to restart, and after doing so it made the System Restore point and then asked me if I wanted to install the Windows Recovery software. I clicked Yes, but the program said I was not connected to the internet, so I tried again, and it said it could not download the Windows Recovery software, but it would attempt to scan for malware anyway. It was at that point I realized my router took a dump, so I terminated ComboFix myself so that I could reset the router. I restarted ComboFix, after which point it notified me that there was a later version than the one I had and asked if I would like to update. I thought this was odd, as I had not been asked to update the first time I ran ComboFix. Regardless, I said yes, it appeared to update, and then said it would restart. It did so, and went through the System Restore and Windows Recovery prompt again; this time the download worked and the program ran through its stages, yielding the following log: ComboFix 11-04-22.01 - Jennifer 04/22/2011 20:25:36.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1403 [GMT -5:00] Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Jennifer\Desktop\Windows Recovery.lnk c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk c:\windows\system32\Thumbs.db . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 ))))))))))))))))))))))))))))))) . . 2011-04-19 22:51 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-19 22:51 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-19 22:51 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-19 22:51 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-19 22:51 . 2011-04-19 22:51 -------- d-----w- c:\program files\Avira 2011-04-19 22:51 . 2011-04-19 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-18 23:57 . 2011-04-18 23:57 -------- d--h--w- c:\windows\PIF 2011-04-18 14:44 . 2011-04-18 14:45 102400 ----a-w- c:\windows\RegBootClean.exe 2011-04-18 12:08 . 2011-04-18 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad 2011-04-18 12:07 . 2009-02-24 23:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys 2011-04-18 12:07 . 2011-04-18 12:28 -------- d-----w- c:\program files\MagicDisc 2011-04-18 12:04 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2011-04-18 11:48 . 2011-04-18 11:48 -------- d-----w- c:\documents and settings\Administrator . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-04-17 18:45 . 2010-10-19 04:34 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2008-05-07 08:34 . 2009-07-10 22:05 15523560 ----a-w- c:\program files\U1 Setup.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1] @="{fe25455d-b4c2-4e32-97d2-92632ec1c224}" [HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}] 2009-11-07 06:07 297808 ----a-w- c:\windows\system32\mscoree.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2] @="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}" [HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}] 2009-11-07 06:07 297808 ----a-w- c:\windows\system32\mscoree.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864] "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688] "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-17 622592] "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-4-18 576000] . c:\documents and settings\Jennifer\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-4-18 576000] OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776] SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-7-10 376832] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35] 2011-03-03 05:18 6449984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] 2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] 2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/21/2010 2:40 AM 237632] R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [10/21/2010 2:40 AM 338880] R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [10/21/2010 2:40 AM 656320] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 5:51 PM 135336] R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [7/14/2009 2:44 PM 933504] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 4:34 PM 1684736] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [10/21/2010 2:39 AM 366840] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\om48p4mf.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-22 20:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(724) c:\windows\system32\igfxdev.dll . - - - - - - - > 'lsass.exe'(780) c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll . Completion time: 2011-04-22 20:34:32 ComboFix-quarantined-files.txt 2011-04-23 01:34 . Pre-Run: 53,014,810,624 bytes free Post-Run: 52,980,596,736 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - 05ABADB53FB4603A396EE876322149ED
  5. QuakemanJake
    Hi, First my apologies to elise025 and the OP from This thread for not lurking a little more. I am having errors on my wife's PC similar to those found in that thread. I "recovered" the hidden files already, but as of this evening I am still getting redirects and random script errors from IE. I have run MBAM and Avira, and I have the log files specified in the tacked thread attached. DDS.txt: . DDS (Ver_11-03-05.01) - NTFSx86 Run by Jennifer at 18:19:47.76 on Tue 04/19/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1400 [GMT -5:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\EeePC\ACPI\AsTray.exe C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe C:\Program Files\EeePC\ACPI\AsEPCMon.exe C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Elantech\ETDCtrl.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe C:\Program Files\MagicDisc\MagicDisc.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Jennifer\Desktop\Defogger.exe C:\Documents and Settings\Jennifer\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uURLSearchHooks: H - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\om48p4mf.default\ FF - plugin: c:\documents and settings\jennifer\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true ============= SERVICES / DRIVERS =============== . R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-10-21 237632] R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-10-21 338880] R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-10-21 656320] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-19 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-19 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-19 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-19 61960] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-10 55152] R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-7-14 933504] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-10 1684736] S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-10-21 366840] S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-10-21 1145816] . =============== Created Last 30 ================ . 2011-04-19 22:51:02 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-19 22:51:00 -------- d-----w- c:\program files\Avira 2011-04-19 22:51:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-18 23:57:03 -------- d--h--w- c:\windows\PIF 2011-04-18 23:44:06 -------- d-s---w- C:\ComboFix 2011-04-18 14:44:39 102400 ----a-w- c:\windows\RegBootClean.exe 2011-04-18 12:08:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad 2011-04-18 12:07:47 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys 2011-04-18 12:07:46 -------- d-----w- c:\program files\MagicDisc 2011-04-18 12:04:05 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ==================== Find3M ==================== . 2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe . ============= FINISH: 18:20:56.31 =============== Attach.zip
  6. QuakemanJake
    Hi, new member here. I have been following this thread for a bit; it appears my wife's computer is affected by the same symptoms. I, too, had to make the hidden files reappear. Running combofix yields a windowed blue screen, and there's an error message which says that volsnap.sys is compromised by a rootkit and prompts to fix it. I simply escape at that point without hitting OK. I noticed that running combofix also runs about 3 or 4 iexplore.exe processes which I kill with a process manager. Same with lizzie, when attempting to run TDSSkiller it fails to run, even after renaming filename and extension. Ran GMER and came up with a log, would it be okay for me to post it in this thread, too?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.