CallOfBooty

May 12, 2011

Hey,

It's all good and I appreciate you for taking my case.

Take care.

May 9, 2011

I'd like us to scan your machine with ESET OnlineScan

Hi, here goes:

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\55a2d3ce-2889e0f1 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\7a0b54eb-3793b8e1 multiple threats deleted - quarantined

C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154883.exe Win32/OpenCandy application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154884.exe Win32/OpenCandy application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154885.exe Win32/OpenCandy application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176469.exe Win32/Toolbar.Zugo application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176470.exe Win32/Toolbar.Zugo application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176471.exe Win32/Toolbar.Zugo application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176472.exe Win32/Toolbar.Zugo application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176473.exe Win32/Toolbar.Zugo application deleted - quarantined

C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP720\A0179324.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\WINDOWS\system32\brcoin32.dll probably a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined

C:\WINDOWS\system32\nsuD62.tmp a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined

C:\WINDOWS\system32\tscsvr.exe a variant of Win32/KeyLogger.EliteKeylogger.46 application deleted - quarantined

C:\WINDOWS\system32\winsx86.dll a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined

Thank you.

May 8, 2011

Hi,

Almost forgot, is there anything you recommend with my two other drives (both non-system)?

May 8, 2011

Hi,

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6528

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/7/2011 10:53:31 PM

mbam-log-2011-05-07 (22-53-31).txt

Scan type: Full scan (C:\|F:\|K:\|)

Objects scanned: 700605

Time elapsed: 5 hour(s), 18 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hey, I found the boot.ini file and got to see my starup options screen for the first time.

The fact that there were open ports for Services and Remote Desktop is usually an indication of this infection

Could you show me this in any of my scan logs, if you don't mind?

Otherwise, that's it. All is well, and I'm out of the doghouse at home. Thank you very much. I learned an immeasurable amount lately.

May 7, 2011

Hi,

How are things running at this point? Any problem left?

The ATI software undid a lot of my havoc which is excellent. Uninstalling the java software gave me an error and it won't uninstall, any workaround? I would like to increase the RC timer for the screen stays for only the blink of a eye, way too fast.

Thanks.

May 7, 2011

Hi,

The new combofix log is below:

ComboFix 11-05-06.05 - Owner 05/07/2011 13:52:51.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2386 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))

.

2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ATI

2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\Owner\Application Data\ATI

2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2011-05-07 18:39 . 2011-05-07 18:39 0 ----a-w- c:\windows\ativpsrm.bin

2011-05-07 18:34 . 2003-11-10 23:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll

2011-05-07 18:34 . 2003-11-10 23:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll

2011-05-07 18:34 . 2003-11-10 23:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll

2011-05-07 18:34 . 2003-11-10 23:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll

2011-05-07 18:34 . 2003-11-10 23:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe

2011-05-07 18:34 . 2003-11-10 23:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2011-05-07 18:34 . 2011-05-07 18:34 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll

2011-05-07 18:34 . 2011-05-07 18:34 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll

2011-05-07 18:34 . 2010-02-11 02:20 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-07 18:33 . 2011-05-07 18:37 -------- d-----w- c:\program files\ATI Technologies

2011-05-07 10:22 . 2011-05-07 10:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2011-05-07 08:53 . 2011-05-07 08:53 -------- d-----w- C:\HelpAsst_backup

2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2011-05-05 10:22 . 2011-05-07 10:22 -------- d-----w- c:\program files\McAfee Security Scan

2011-05-05 10:03 . 2011-05-05 10:13 -------- d-----w- c:\program files\a-squared Free

2011-05-05 09:50 . 2011-05-05 09:50 -------- d-----w- c:\program files\Sophos

2011-05-05 07:58 . 2011-05-05 07:58 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-05-05 07:55 . 2011-05-05 07:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-04 16:21 . 2011-05-04 16:21 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-04 10:25 . 2011-05-04 10:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help

2011-05-04 09:25 . 2011-05-04 09:25 -------- d-----w- C:\ATI

2011-05-02 02:59 . 2011-05-02 02:59 -------- d-----w- c:\program files\Common Files\Java

2011-04-14 17:26 . 2011-02-14 07:42 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys

2011-04-14 17:26 . 2011-02-14 07:42 20096 ----a-w- c:\windows\system32\drivers\lgusbgps.sys

2011-04-14 17:26 . 2011-02-14 07:42 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys

2011-04-14 17:26 . 2011-02-14 07:42 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys

2011-04-14 17:26 . 2011-04-14 17:26 -------- d-----w- c:\program files\LG Electronics

2011-04-14 17:25 . 2011-04-14 17:25 -------- d-----w- C:\LGMN240

2011-04-14 16:48 . 2006-05-04 13:33 53248 ----a-w- c:\windows\system32\CommonDL.dll

2011-04-14 16:48 . 2005-10-04 06:39 44544 ----a-w- c:\windows\system32\msxml4a.dll

2011-04-14 16:48 . 2011-04-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX

2011-04-14 16:45 . 2011-04-14 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Sony Corporation

2011-04-14 02:47 . 2011-04-14 02:47 -------- d-----w- c:\program files\MSXML 4.0

2011-04-14 02:47 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2011-04-14 02:46 . 2011-04-14 02:46 -------- d-----w- c:\windows\Logs

2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\program files\Sony

2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-07 05:01 . 2004-02-06 01:03 60416 ----a-w- c:\windows\ALCFDRTM.VER

2011-03-10 10:40 . 2009-02-10 20:10 737280 ----a-w- c:\windows\iun6002.exe

2011-03-07 05:33 . 2004-02-05 01:55 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2002-02-26 22:58 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-07-15 00:09 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2004-07-15 00:08 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2004-07-15 00:08 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2004-02-07 02:05 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-22 01:12 . 2009-11-07 00:48 398760 ----a-r- c:\windows\system32\cpnprt2.cid

2011-02-18 21:36 . 2010-03-26 16:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-18 21:36 . 2010-03-26 16:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-17 13:18 . 2004-07-15 00:08 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-07-15 00:08 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-09-18 06:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2004-07-15 00:08 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2004-07-15 00:08 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-07-15 00:08 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2004-07-15 00:08 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2004-07-15 00:08 974848 ----a-w- c:\windows\system32\mfc42u.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2010-10-14 04:28 . 2011-03-02 02:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"Athan"="c:\program files\Athan\Athan.exe" [2011-03-07 1208320]

"SoundMan"="SOUNDMAN.EXE" [2004-07-01 73728]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-08 198160]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-01-30 36760]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-01-30 821144]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

.

c:\documents and settings\Aayshi\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk.disabled [2010-2-13 1808]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

Microsoft Office.lnk.disabled [2009-1-29 1730]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"CHotkey"=zHotkey.exe

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"AlcWzrd"=ALCWZRD.EXE

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"mmtask"=c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1035:TCP"= 1035:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/1/2011 9:05 PM 84072]

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/5/2011 5:03 AM 1872320]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/14/2004 7:08 PM 14336]

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [11/24/2010 6:59 AM 440616]

R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [11/24/2010 6:59 AM 2324848]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/16/2009 9:58 AM 363344]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/18/2009 4:17 AM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/1/2011 9:05 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/1/2011 9:05 PM 141792]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/1/2011 9:05 PM 55840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/16/2009 9:58 AM 20952]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/1/2011 9:05 PM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176]

S2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [1/31/2010 2:32 PM 17984]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [9/23/2009 10:56 PM 2944]

S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [9/23/2009 10:56 PM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [9/23/2009 10:56 PM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [9/23/2009 11:00 PM 10368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/1/2011 9:05 PM 84264]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [4/14/2011 12:26 PM 20096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

.

2011-05-07 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-25 21:22]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52]

.

2010-04-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-16 21:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.net

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxukj3n6.default\

FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-07 14:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1A.tmp"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1080)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(5024)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\windows\system32\Msi.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\rundll32.exe

c:\windows\SOUNDMAN.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

.

**************************************************************************

.

Completion time: 2011-05-07 14:16:34 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-07 19:16

ComboFix2.txt 2011-05-07 06:02

.

Pre-Run: 422,980,599,808 bytes free

Post-Run: 422,973,087,744 bytes free

.

- - End Of File - - 3A18D48FE69AAA05A8E650C6A9D0E09B

How can I get the console recovery page to hang around for 2 seconds? Right now it only displays as a quick flash and is gone. Thanks for the ati info as well.

May 7, 2011

Just googled the video driver specs and found the 2 suspect sites.

Using the search string: ati radeon x300 driver download

I remember going to these two sites:

driverscollection.com

members.driverguide.com

They looked legit but I'm not sure. Also their downloads may be compromised. Would it be worth the time to get someone from your team to check it out?

May 7, 2011

Hi,

Ran the tool. Log is below:

C:\Documents and Settings\Owner\My Documents\Downloads\RootkitRemoval\HelpAsst_mebroot_fix.exe

Sat 05/07/2011 at 3:57:38.93

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/07/2011 at 4:28:02.98

Account active No

Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x03A384C41

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

If that is not too much trouble finding the drivers, cool. I have an ATI Radeon x300. Oh, I almost forgot. Before posting to this forum I ran MBRcheck which found the sinowal rootkit. I followed the instructions and since then it shows the mbr to be a regular xp installation. This last tool you gave me mentioned the sinowal rootkit and reminded me of some output is saw on this computer. Could you tell me what clues were there on the Combofix log? Also should I be concerned about 2 persistent kernel patches? Using GMER:

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit quick scan 2011-05-07 04:49:16

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 ST3500320AS rev.SD81

Running: 5rmh6o3t.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdapod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74640A4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74640B8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

The two Zw* entries above are identified as kernel patches in other scanners. I have also noticed that the PF usage creeps upwards from the usual 7XX MB and later winds up 12xx MB or so. Hey its also cool to get the recovery console. Thanks.

May 7, 2011

Hi,

Combofix ran and installed the recovery console, thank you. Log is included in this post.

Fortunately there are no serious performance problems other than this old computer gracefully slowing down. I tried to upgrade my video card (stock) drivers and that is when I realized there was a serious problem. Lately (before infection) browsers have been scrolling slower and have been slow to launch when clicked so I thought about the video card. We're budgeting for a newer machine in the mean time. Do you know a good site to update my video drivers from...(half-seriously)?

//////////////////////////////////////////////////////////

ComboFix 11-05-06.03 - Owner 05/07/2011 0:25.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2382 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Aayshi\WINDOWS

c:\windows\system32\AutoRun.inf

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\Thumbs.db

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))

.

2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\program files\McAfee Security Scan