mind5150 Posted November 22, 2011 ID:497123 Share Posted November 22, 2011 Hello good people at malwarebytes,I believe my computer was recently infected with this google virus...i noticed it when i was doing searches and it would redirect me to other websites where my AVG would constantly pop up. My computer has been noticeably slower as well and one time my computer went to a blue screen and restarted, prompting the option of safe mode upon start up. I used malwarebytes and it seems that it is unable to catch this virus, here is the most recent log of the full scan along (said it found 5 and removed 5, but it said it has found/removed them before with no luck) with DDS.txt and attach.txtMalwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8213Windows 6.1.7600Internet Explorer 8.0.7600.1638511/21/2011 11:33:02 PMmbam-log-2011-11-21 (23-33-02).txtScan type: Full scan (C:\|)Objects scanned: 588899Time elapsed: 1 hour(s), 34 minute(s), 7 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Users\alvin lau\AppData\Local\temp\AB51.tmp (Trojan.Agent) -> Quarantined and deleted successfully.c:\Users\alvin lau\AppData\Local\temp\BDF7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.c:\Users\alvin lau\AppData\Local\temp\BE45.tmp (Trojan.Agent) -> Quarantined and deleted successfully.c:\Users\alvin lau\AppData\Local\temp\AF18.tmp (Trojan.Agent) -> Quarantined and deleted successfully.c:\Users\alvin lau\AppData\Roaming\B0DC.tmp (Trojan.Agent.CoXGen) -> Quarantined and deleted successfully..DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23Run by Alvin Lau at 23:33:22 on 2011-11-21Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2036.1448 [GMT -8:00].AV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}.============== Running Processes ===============.C:\PROGRA~1\AVG\AVG10\avgchsvx.exeC:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft\BingBar\SeaPort.EXEC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\Program Files\AVG\AVG10\avgnsx.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Windows\system32\svchost.exe -k bthsvcsC:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Replay Media Catcher\FLVSrvc.exeC:\Windows\WindowsMobile\wmdc.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\Windows\system32\svchost.exe -k WindowsMobileC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\wuauclt.exeC:\PROGRA~1\AVG\AVG10\avgrsx.exeC:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\NOTEPAD.EXEC:\Windows\System32\ping.exeC:\Windows\system32\conhost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\conhost.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllmURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dllBHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dllBHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dllTB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dllTB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dllTB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbyloginmRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXEmRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -smRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /runmRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exemRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exemRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\utilman.lnk - c:\users\alvin lau\appdata\local\utilman.exeuPolicies-explorer: HideSCAHealth = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dllIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dllIE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLLLSP: mswsock.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.1.1TCP: Interfaces\{16B60D0D-2143-4E50-B1CC-123D4F8DF238} : DhcpNameServer = 192.168.1.1TCP: Interfaces\{16B60D0D-2143-4E50-B1CC-123D4F8DF238}\75947474C454 : DhcpNameServer = 192.168.0.1TCP: Interfaces\{16B60D0D-2143-4E50-B1CC-123D4F8DF238}\84C41657 : DhcpNameServer = 192.168.1.1TCP: Interfaces\{16B60D0D-2143-4E50-B1CC-123D4F8DF238}\8616E6B602C61657 : DhcpNameServer = 192.168.1.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll.================= FIREFOX ===================.FF - ProfilePath - c:\users\alvin lau\appdata\roaming\mozilla\firefox\profiles\y96fpzoo.default\FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-usFF - prefs.js: browser.startup.homepage - www.google.comFF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dllFF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dllFF - component: c:\program files\avg\avg10\firefox4\components\avgssff6.dllFF - component: c:\program files\avg\avg10\firefox4\components\avgssff7.dllFF - component: c:\users\alvin lau\appdata\roaming\mozilla\firefox\profiles\y96fpzoo.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}FF - Ext: XUL Cache: {45c6f340-e06b-4b06-b708-2b08da62ff93} - %profile%\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4.---- FIREFOX POLICIES ----FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - falseFF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]R3 e1qexpress;Intel® PRO/1000 PCI Express Network Connection Driver Q;c:\windows\system32\drivers\e1q6032.sys [2009-7-13 190464]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-21 41272]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-6 39272]S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 25112]S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-7 79816]S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-7 35272]S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-7 34248]S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-7 40552]S3 RDID1078;Fantom G;c:\windows\system32\drivers\Rdwm1078.sys [2010-8-16 145792]S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-2 1343400]S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040].=============== Created Last 30 ================.2011-11-21 15:05:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-11-09 04:24:00 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 04:23:57 708608 ----a-w- c:\program files\common files\system\wab32.dll2011-11-09 04:23:56 2339840 ----a-w- c:\windows\system32\win32k.sys2011-11-05 15:02:05 -------- d-----w- c:\users\alvin lau\appdata\roaming\XpppmGG5sQJ6EKf2011-11-05 15:02:05 -------- d-----w- c:\users\alvin lau\appdata\roaming\aZZ99hTTXwjCeIB2011-11-05 15:02:00 -------- d-----w- c:\users\alvin lau\appdata\roaming\cBBBrzzPN2011-11-05 15:01:58 -------- d-----w- c:\users\alvin lau\appdata\roaming\ZVVVellOBtzPyc12011-11-05 15:01:57 -------- d-----w- c:\users\alvin lau\appdata\roaming\gIIIVrrlONtx0uS2011-11-05 15:01:54 -------- d-----w- c:\users\alvin lau\appdata\roaming\kyyycAA1ivD2nFp2011-10-26 11:54:43 6144 ----a-w- c:\program files\internet explorer\iecompat.dll.==================== Find3M ====================.2011-11-13 21:51:46 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe2011-11-13 21:51:45 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-27 04:43:07 571904 ----a-w- c:\windows\system32\oleaut32.dll2011-08-27 04:43:06 233472 ----a-w- c:\windows\system32\oleacc.dll.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 6.1.7600 Disk: WDC_WD6400AAKS-41H2B0 rev.07.04C07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7 .device: opened successfullyuser: MBR read successfully.Disk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85EB0F10]<< _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }1 ntkrnlpa!IofCallDriver[0x82E8A458] -> \Device\Harddisk0\DR0[0x858CB030]3 CLASSPNP[0x88E6359E] -> ntkrnlpa!IofCallDriver[0x82E8A458] -> [0x85EBEDC8]\Driver\00001957[0x85E7D2B8] -> IRP_MJ_CREATE -> 0x85EB0F10kernel: MBR read successfully_asm { ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; ADD [bX+SI], AL; }user != kernel MBR !!! sectors 1250263695 (+0): user != kernelWarning: possible TDL4 rootkit infection !TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix..============= FINISH: 23:33:55.76 ===============Attach.zip Link to post Share on other sites More sharing options...
Elise Posted November 22, 2011 ID:497248 Share Posted November 22, 2011 Hello, and I see evidence of two rootkits here, before starting the cleaning process, please make sure to read the following information.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
mind5150 Posted November 23, 2011 Author ID:497395 Share Posted November 23, 2011 Hello,I tried to follow the steps however the windows recovery console prompt did not show up. I disabled my AVG and tried to run combofix, it said mcafee is running, however i do not have mcafee...as far as i know, tried to disable it but i could not find it on my computer, i ran combofix anyway and a blue screen came up showing the process.... here is the final log, also included as an attach fileComboFix 11-11-22.03 - Alvin Lau 11/22/2011 20:06:40.2.8 - x86Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2036.908 [GMT -8:00]Running from: c:\users\Alvin Lau\Downloads\ComboFix.exeAV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\datac:\data\Lp_setup.exec:\users\Alvin Lau\AppData\Local\tyl.exec:\users\Alvin Lau\AppData\Roaming\Adobe\plugsc:\users\Alvin Lau\AppData\Roaming\Adobe\shedc:\users\Alvin Lau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recoveryc:\users\Alvin Lau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnkc:\users\Alvin Lau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnkc:\users\Alvin Lau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Zentom System Guardc:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}c:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}\chrome.manifestc:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}\chrome\xulcache.jarc:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}\defaults\preferences\xulcache.jsc:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\extensions\{45c6f340-e06b-4b06-b708-2b08da62ff93}\install.rdfc:\users\Alvin Lau\Taskmgr.exec:\windows\$NtUninstallKB32165$\1005173323c:\windows\$NtUninstallKB32165$\736974408\@c:\windows\$NtUninstallKB32165$\736974408\bckfg.tmpc:\windows\$NtUninstallKB32165$\736974408\cfg.inic:\windows\$NtUninstallKB32165$\736974408\Desktop.inic:\windows\$NtUninstallKB32165$\736974408\keywordsc:\windows\$NtUninstallKB32165$\736974408\kwrd.dllc:\windows\$NtUninstallKB32165$\736974408\L\xadqgnnkc:\windows\$NtUninstallKB32165$\736974408\lsflt7.verc:\windows\$NtUninstallKB32165$\736974408\U\00000001.@c:\windows\$NtUninstallKB32165$\736974408\U\00000002.@c:\windows\$NtUninstallKB32165$\736974408\U\00000004.@c:\windows\$NtUninstallKB32165$\736974408\U\80000000.@c:\windows\$NtUninstallKB32165$\736974408\U\80000004.@c:\windows\$NtUninstallKB32165$\736974408\U\80000032.@c:\windows\iun6002.exec:\windows\$NtUninstallKB32165$ . . . . Failed to delete..((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))..2011-11-23 04:16 . 2011-11-23 04:19 -------- d-----w- c:\users\Alvin Lau\AppData\Local\temp2011-11-23 04:16 . 2011-11-23 04:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp2011-11-23 04:16 . 2011-11-23 04:16 -------- d-----w- c:\users\Public\AppData\Local\temp2011-11-23 04:16 . 2011-11-23 04:16 -------- d-----w- c:\users\Default\AppData\Local\temp2011-11-23 04:03 . 2009-07-13 23:11 53760 ----a-w- c:\windows\system32\drivers\intelppm.sys2011-11-09 04:24 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 04:23 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll2011-11-09 04:23 . 2011-09-29 04:20 2339840 ----a-w- c:\windows\system32\win32k.sys2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\aZZ99hTTXwjCeIB2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\XpppmGG5sQJ6EKf2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\cBBBrzzPN2011-11-05 15:01 . 2011-11-09 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\ZVVVellOBtzPyc12011-11-05 15:01 . 2011-11-05 15:01 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\gIIIVrrlONtx0uS2011-11-05 15:01 . 2011-11-05 15:01 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\kyyycAA1ivD2nFp2011-10-26 11:54 . 2011-08-15 04:25 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-11-13 21:51 . 2010-02-07 19:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe2011-11-13 21:51 . 2010-02-07 19:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll2011-10-01 02:59 . 2011-10-13 03:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb2011-09-01 00:00 . 2011-06-02 13:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-27 04:43 . 2011-10-13 04:01 571904 ----a-w- c:\windows\system32\oleaut32.dll2011-08-27 04:43 . 2011-10-13 04:01 233472 ----a-w- c:\windows\system32\oleacc.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2010-09-29 05:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-29 7862816]"Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\utilman.lnk - c:\users\Alvin Lau\AppData\Local\utilman.exe [N/A].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux6"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]2009-09-05 09:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe.R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]R1 SASDIFSV;SASDIFSV;c:\users\ALVINL~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]R1 SASKUTIL;SASKUTIL;c:\users\ALVINL~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-10 25112]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]R3 RDID1078;Fantom G;c:\windows\system32\Drivers\rdwm1078.sys [2009-09-18 145792]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 134480]S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]S3 e1qexpress;Intel® PRO/1000 PCI Express Network Connection Driver Q;c:\windows\system32\DRIVERS\e1q6032.sys [2009-07-13 190464]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WindowsMobile REG_MULTI_SZ wcescomm rapimgrLocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr..------- Supplementary Scan -------.IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-usFF - prefs.js: browser.startup.homepage - www.google.comFF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - falseFF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true.- - - - ORPHANS REMOVED - - - -.AddRemove-MidiSport1x1 - c:\windows\iun6002.exe...**************************************************************************.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 6.1.7600 Disk: WDC_WD6400AAKS-41H2B0 rev.07.04C07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7 .device: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser != kernel MBR !!! sectors 1250263695 (+0): user != kernel.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(3920)c:\users\Alvin Lau\AppData\Local\FLVService\lib\FLVSrvLib.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvvsvc.exec:\windows\system32\nvvsvc.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Microsoft\BingBar\SeaPort.EXEc:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEc:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exec:\windows\system32\taskhost.exec:\windows\System32\rundll32.exec:\windows\system32\conhost.exec:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\DllHost.exec:\windows\system32\sppsvc.exe.**************************************************************************.Completion time: 2011-11-22 20:23:23 - machine was rebootedComboFix-quarantined-files.txt 2011-11-23 04:23ComboFix2.txt 2011-05-10 19:00.Pre-Run: 19,129,208,832 bytes freePost-Run: 19,561,189,376 bytes free.- - End Of File - - 153990EA52EB511B3901B1B73258C335log.txt Link to post Share on other sites More sharing options...
Elise Posted November 23, 2011 ID:497482 Share Posted November 23, 2011 Hi again, one rootkit down, one to go. Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply. Link to post Share on other sites More sharing options...
mind5150 Posted November 23, 2011 Author ID:497510 Share Posted November 23, 2011 Downloaded the TDSSkiller on my desktop, followed instructions and ran the scan. However the scan only scaned 283 objects and lasted less than 30 seconds. Found 0 threats....here is the report...what should i do now?07:16:47.0060 2468 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:5507:16:47.0575 2468 ============================================================07:16:47.0575 2468 Current date / time: 2011/11/23 07:16:47.057507:16:47.0575 2468 SystemInfo:07:16:47.0575 2468 07:16:47.0575 2468 OS Version: 6.1.7600 ServicePack: 0.007:16:47.0575 2468 Product type: Workstation07:16:47.0575 2468 ComputerName: WINDOWS-707:16:47.0575 2468 UserName: Alvin Lau07:16:47.0575 2468 Windows directory: C:\Windows07:16:47.0575 2468 System windows directory: C:\Windows07:16:47.0575 2468 Processor architecture: Intel x8607:16:47.0575 2468 Number of processors: 807:16:47.0575 2468 Page size: 0x100007:16:47.0575 2468 Boot type: Normal boot07:16:47.0575 2468 ============================================================07:16:48.0854 2468 Initialize success07:16:55.0344 2648 ============================================================07:16:55.0344 2648 Scan started07:16:55.0344 2648 Mode: Manual; 07:16:55.0344 2648 ============================================================07:16:55.0952 2648 1394ohci - ok07:16:55.0968 2648 ACPI - ok07:16:55.0968 2648 AcpiPmi - ok07:16:55.0983 2648 adfs - ok07:16:55.0999 2648 adp94xx - ok07:16:55.0999 2648 adpahci - ok07:16:55.0999 2648 adpu320 - ok07:16:56.0014 2648 AFD - ok07:16:56.0014 2648 agp440 - ok07:16:56.0014 2648 aic78xx - ok07:16:56.0030 2648 aliide - ok07:16:56.0046 2648 amdagp - ok07:16:56.0046 2648 amdide - ok07:16:56.0046 2648 AmdK8 - ok07:16:56.0046 2648 AmdPPM - ok07:16:56.0046 2648 amdsata - ok07:16:56.0061 2648 amdsbs - ok07:16:56.0061 2648 amdxata - ok07:16:56.0061 2648 AppID - ok07:16:56.0077 2648 arc - ok07:16:56.0077 2648 arcsas - ok07:16:56.0077 2648 AsyncMac - ok07:16:56.0077 2648 atapi - ok07:16:56.0108 2648 AVGIDSDriver - ok07:16:56.0108 2648 AVGIDSEH - ok07:16:56.0108 2648 AVGIDSFilter - ok07:16:56.0108 2648 AVGIDSShim - ok07:16:56.0124 2648 Avgldx86 - ok07:16:56.0124 2648 Avgmfx86 - ok07:16:56.0139 2648 Avgrkx86 - ok07:16:56.0139 2648 Avgtdix - ok07:16:56.0139 2648 b06bdrv - ok07:16:56.0139 2648 b57nd60x - ok07:16:56.0155 2648 BCM43XX - ok07:16:56.0170 2648 Beep - ok07:16:56.0170 2648 blbdrive - ok07:16:56.0170 2648 bowser - ok07:16:56.0170 2648 BrFiltLo - ok07:16:56.0170 2648 BrFiltUp - ok07:16:56.0186 2648 Brserid - ok07:16:56.0186 2648 BrSerWdm - ok07:16:56.0186 2648 BrUsbMdm - ok07:16:56.0186 2648 BrUsbSer - ok07:16:56.0186 2648 BthEnum - ok07:16:56.0186 2648 BTHMODEM - ok07:16:56.0202 2648 BthPan - ok07:16:56.0202 2648 BTHPORT - ok07:16:56.0202 2648 BTHUSB - ok07:16:56.0217 2648 catchme - ok07:16:56.0217 2648 cdfs - ok07:16:56.0233 2648 cdrom - ok07:16:56.0233 2648 circlass - ok07:16:56.0233 2648 CLFS - ok07:16:56.0248 2648 CmBatt - ok07:16:56.0264 2648 cmdide - ok07:16:56.0264 2648 CNG - ok07:16:56.0264 2648 Compbatt - ok07:16:56.0280 2648 CompositeBus - ok07:16:56.0280 2648 crcdisk - ok07:16:56.0280 2648 CSC - ok07:16:56.0280 2648 DfsC - ok07:16:56.0295 2648 discache - ok07:16:56.0295 2648 Disk - ok07:16:56.0311 2648 drmkaud - ok07:16:56.0311 2648 DXGKrnl - ok07:16:56.0326 2648 e1qexpress - ok07:16:56.0326 2648 ebdrv - ok07:16:56.0326 2648 elxstor - ok07:16:56.0326 2648 ErrDev - ok07:16:56.0342 2648 exfat - ok07:16:56.0342 2648 fastfat - ok07:16:56.0342 2648 fdc - ok07:16:56.0342 2648 FileInfo - ok07:16:56.0358 2648 Filetrace - ok07:16:56.0358 2648 flpydisk - ok07:16:56.0358 2648 FltMgr - ok07:16:56.0358 2648 FsDepends - ok07:16:56.0358 2648 fssfltr - ok07:16:56.0373 2648 Fs_Rec - ok07:16:56.0373 2648 fvevol - ok07:16:56.0373 2648 gagp30kx - ok07:16:56.0373 2648 hcw85cir - ok07:16:56.0373 2648 HdAudAddService - ok07:16:56.0373 2648 HDAudBus - ok07:16:56.0389 2648 HidBatt - ok07:16:56.0389 2648 HidBth - ok07:16:56.0389 2648 HidIr - ok07:16:56.0404 2648 HidUsb - ok07:16:56.0404 2648 HpSAMD - ok07:16:56.0404 2648 HTTP - ok07:16:56.0404 2648 hwpolicy - ok07:16:56.0404 2648 i8042prt - ok07:16:56.0420 2648 iaStorV - ok07:16:56.0420 2648 iirsp - ok07:16:56.0420 2648 IntcAzAudAddService - ok07:16:56.0420 2648 intelide - ok07:16:56.0420 2648 intelppm - ok07:16:56.0436 2648 IpFilterDriver - ok07:16:56.0436 2648 IPMIDRV - ok07:16:56.0436 2648 IPNAT - ok07:16:56.0436 2648 IRENUM - ok07:16:56.0436 2648 isapnp - ok07:16:56.0436 2648 iScsiPrt - ok07:16:56.0451 2648 ivusb - ok07:16:56.0451 2648 kbdclass - ok07:16:56.0451 2648 kbdhid - ok07:16:56.0451 2648 KSecDD - ok07:16:56.0451 2648 KSecPkg - ok07:16:56.0467 2648 lltdio - ok07:16:56.0467 2648 LSI_FC - ok07:16:56.0467 2648 LSI_SAS - ok07:16:56.0467 2648 LSI_SAS2 - ok07:16:56.0482 2648 LSI_SCSI - ok07:16:56.0482 2648 luafv - ok07:16:56.0498 2648 MBAMSwissArmy - ok07:16:56.0498 2648 megasas - ok07:16:56.0498 2648 MegaSR - ok07:16:56.0498 2648 mfeavfk - ok07:16:56.0498 2648 mfebopk - ok07:16:56.0529 2648 mfehidk - ok07:16:56.0529 2648 mferkdk - ok07:16:56.0529 2648 mfesmfk - ok07:16:56.0529 2648 Modem - ok07:16:56.0529 2648 monitor - ok07:16:56.0529 2648 mouclass - ok07:16:56.0545 2648 mouhid - ok07:16:56.0545 2648 mountmgr - ok07:16:56.0545 2648 mpio - ok07:16:56.0545 2648 mpsdrv - ok07:16:56.0545 2648 MRxDAV - ok07:16:56.0545 2648 mrxsmb - ok07:16:56.0545 2648 mrxsmb10 - ok07:16:56.0560 2648 mrxsmb20 - ok07:16:56.0560 2648 msahci - ok07:16:56.0560 2648 msdsm - ok07:16:56.0560 2648 Msfs - ok07:16:56.0560 2648 mshidkmdf - ok07:16:56.0576 2648 msisadrv - ok07:16:56.0576 2648 MSKSSRV - ok07:16:56.0576 2648 MSPCLOCK - ok07:16:56.0576 2648 MSPQM - ok07:16:56.0576 2648 MsRPC - ok07:16:56.0592 2648 mssmbios - ok07:16:56.0592 2648 MSTEE - ok07:16:56.0592 2648 MTConfig - ok07:16:56.0592 2648 Mup - ok07:16:56.0592 2648 NativeWifiP - ok07:16:56.0592 2648 NDIS - ok07:16:56.0607 2648 NdisCap - ok07:16:56.0607 2648 NdisTapi - ok07:16:56.0607 2648 Ndisuio - ok07:16:56.0607 2648 NdisWan - ok07:16:56.0607 2648 NDProxy - ok07:16:56.0607 2648 NetBIOS - ok07:16:56.0623 2648 NetBT - ok07:16:56.0623 2648 nfrd960 - ok07:16:56.0638 2648 Npfs - ok07:16:56.0638 2648 nsiproxy - ok07:16:56.0638 2648 Ntfs - ok07:16:56.0638 2648 Null - ok07:16:56.0638 2648 nvlddmkm - ok07:16:56.0654 2648 nvraid - ok07:16:56.0654 2648 nvstor - ok07:16:56.0654 2648 nv_agp - ok07:16:56.0654 2648 ohci1394 - ok07:16:56.0670 2648 Parport - ok07:16:56.0670 2648 partmgr - ok07:16:56.0670 2648 Parvdm - ok07:16:56.0670 2648 pci - ok07:16:56.0670 2648 pciide - ok07:16:56.0670 2648 pcmcia - ok07:16:56.0685 2648 pcw - ok07:16:56.0685 2648 PEAUTH - ok07:16:56.0701 2648 PptpMiniport - ok07:16:56.0701 2648 Processor - ok07:16:56.0716 2648 Psched - ok07:16:56.0716 2648 PxHelp20 - ok07:16:56.0716 2648 ql2300 - ok07:16:56.0716 2648 ql40xx - ok07:16:56.0716 2648 QWAVEdrv - ok07:16:56.0732 2648 RasAcd - ok07:16:56.0732 2648 RasAgileVpn - ok07:16:56.0732 2648 Rasl2tp - ok07:16:56.0748 2648 RasPppoe - ok07:16:56.0748 2648 RasSstp - ok07:16:56.0748 2648 rdbss - ok07:16:56.0748 2648 RDID1078 - ok07:16:56.0748 2648 rdpbus - ok07:16:56.0748 2648 RDPCDD - ok07:16:56.0763 2648 RDPDR - ok07:16:56.0763 2648 RDPENCDD - ok07:16:56.0763 2648 RDPREFMP - ok07:16:56.0763 2648 RDPWD - ok07:16:56.0763 2648 rdyboost - ok07:16:56.0779 2648 RFCOMM - ok07:16:56.0779 2648 RimUsb - ok07:16:56.0779 2648 rspndr - ok07:16:56.0779 2648 s3cap - ok07:16:56.0779 2648 SASDIFSV - ok07:16:56.0794 2648 SASKUTIL - ok07:16:56.0794 2648 sbp2port - ok07:16:56.0794 2648 scfilter - ok07:16:56.0794 2648 secdrv - ok07:16:56.0810 2648 Serenum - ok07:16:56.0810 2648 Serial - ok07:16:56.0810 2648 sermouse - ok07:16:56.0826 2648 sffdisk - ok07:16:56.0826 2648 sffp_mmc - ok07:16:56.0826 2648 sffp_sd - ok07:16:56.0826 2648 sfloppy - ok07:16:56.0826 2648 sisagp - ok07:16:56.0826 2648 SiSRaid2 - ok07:16:56.0841 2648 SiSRaid4 - ok07:16:56.0841 2648 Smb - ok07:16:56.0841 2648 spldr - ok07:16:56.0841 2648 srv - ok07:16:56.0857 2648 srv2 - ok07:16:56.0857 2648 srvnet - ok07:16:56.0857 2648 stexstor - ok07:16:56.0857 2648 storflt - ok07:16:56.0857 2648 storvsc - ok07:16:56.0872 2648 swenum - ok07:16:56.0872 2648 Tcpip - ok07:16:56.0872 2648 TCPIP6 - ok07:16:56.0888 2648 tcpipreg - ok07:16:56.0888 2648 TDPIPE - ok07:16:56.0888 2648 TDTCP - ok07:16:56.0888 2648 TermDD - ok07:16:56.0904 2648 tssecsrv - ok07:16:56.0904 2648 tunnel - ok07:16:56.0904 2648 uagp35 - ok07:16:56.0904 2648 udfs - ok07:16:56.0904 2648 uliagpkx - ok07:16:56.0919 2648 umbus - ok07:16:56.0919 2648 UmPass - ok07:16:56.0919 2648 usbaudio - ok07:16:56.0919 2648 usbccgp - ok07:16:56.0919 2648 usbcir - ok07:16:56.0935 2648 usbehci - ok07:16:56.0935 2648 usbhub - ok07:16:56.0935 2648 usbohci - ok07:16:56.0935 2648 usbprint - ok07:16:56.0935 2648 USBSTOR - ok07:16:56.0935 2648 usbuhci - ok07:16:56.0935 2648 usb_rndisx - ok07:16:56.0950 2648 vdrvroot - ok07:16:56.0950 2648 vga - ok07:16:56.0950 2648 VgaSave - ok07:16:56.0950 2648 vhdmp - ok07:16:56.0950 2648 viaagp - ok07:16:56.0966 2648 ViaC7 - ok07:16:56.0966 2648 viaide - ok07:16:56.0966 2648 vmbus - ok07:16:56.0966 2648 VMBusHID - ok07:16:56.0966 2648 volmgr - ok07:16:56.0966 2648 volmgrx - ok07:16:56.0966 2648 volsnap - ok07:16:56.0982 2648 vsmraid - ok07:16:56.0982 2648 vwifibus - ok07:16:56.0982 2648 vwififlt - ok07:16:56.0982 2648 WacomPen - ok07:16:56.0997 2648 WANARP - ok07:16:57.0013 2648 Wanarpv6 - ok07:16:57.0013 2648 Wd - ok07:16:57.0013 2648 Wdf01000 - ok07:16:57.0044 2648 WfpLwf - ok07:16:57.0044 2648 WIMMount - ok07:16:57.0200 2648 WinUsb - ok07:16:57.0216 2648 WmiAcpi - ok07:16:57.0216 2648 ws2ifsl - ok07:16:57.0247 2648 WudfPf - ok07:16:57.0262 2648 WUDFRd - ok07:16:57.0340 2648 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR007:16:57.0356 2648 \Device\Harddisk0\DR0 - ok07:16:57.0372 2648 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR107:16:57.0372 2648 \Device\Harddisk1\DR1 - ok07:16:57.0372 2648 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR207:16:57.0387 2648 \Device\Harddisk2\DR2 - ok07:16:57.0418 2648 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk3\DR307:16:57.0543 2648 \Device\Harddisk3\DR3 - ok07:16:57.0543 2648 Boot (0x1200) (f7e6185c00be66a11cd5a561f3704eda) \Device\Harddisk0\DR0\Partition007:16:57.0543 2648 \Device\Harddisk0\DR0\Partition0 - ok07:16:57.0574 2648 Boot (0x1200) (866c42a3d6124e0305b3edc8eb27f36d) \Device\Harddisk0\DR0\Partition107:16:57.0574 2648 \Device\Harddisk0\DR0\Partition1 - ok07:16:57.0574 2648 Boot (0x1200) (dbc507c4caf916b1de01298d648b8f23) \Device\Harddisk0\DR0\Partition207:16:57.0574 2648 \Device\Harddisk0\DR0\Partition2 - ok07:16:57.0574 2648 Boot (0x1200) (7d307b81c9f87f79db5eef5803d40bc8) \Device\Harddisk1\DR1\Partition007:16:57.0574 2648 \Device\Harddisk1\DR1\Partition0 - ok07:16:57.0590 2648 Boot (0x1200) (bc7b6f02c51d1c8babcd3ce2fbbc1563) \Device\Harddisk1\DR1\Partition107:16:57.0590 2648 \Device\Harddisk1\DR1\Partition1 - ok07:16:57.0590 2648 Boot (0x1200) (181efc0222b36b24131684e8f807451d) \Device\Harddisk2\DR2\Partition007:16:57.0590 2648 \Device\Harddisk2\DR2\Partition0 - ok07:16:57.0637 2648 Boot (0x1200) (5ecc7fe5a62ac51516e47c39f0025fba) \Device\Harddisk3\DR3\Partition007:16:57.0637 2648 \Device\Harddisk3\DR3\Partition0 - ok07:16:57.0637 2648 ============================================================07:16:57.0637 2648 Scan finished07:16:57.0637 2648 ============================================================07:16:57.0652 5640 Detected object count: 007:16:57.0652 5640 Actual detected object count: 0 Link to post Share on other sites More sharing options...
Elise Posted November 23, 2011 ID:497514 Share Posted November 23, 2011 Do you use BitLocker drive encryption somehow? How are things running at this point? Link to post Share on other sites More sharing options...
mind5150 Posted November 23, 2011 Author ID:497521 Share Posted November 23, 2011 No i do not use bitlocker, things on this computer are running ok, i just avoid searching on google. MY AVG (which i disable when told to on this forum) still runs daily scans and seems to pick up threats, says it removes them but i know thats not true. I'm starting to think ALL of the antivirus products people can buy at their local retail stores are useless and a waste of money...if anyone has anything else for me to try i'm all ears....thanks for all the help thus far, greatly appreciated. Link to post Share on other sites More sharing options...
Elise Posted November 23, 2011 ID:497531 Share Posted November 23, 2011 Could you please try and see if your google searches are still redirected at this point?Also, what does AVG detect (could you give me the file/detection name)? Link to post Share on other sites More sharing options...
mind5150 Posted November 24, 2011 Author ID:497708 Share Posted November 24, 2011 Just did a AVG scan and found one infection and said it was unable to remove.c:\windows\system\32\drivers\tdx.sysTrojan Horse Hider.OKII am now at the point where my internet is unable to connect last time i checked. Under my signal bar of my network it said limited access. Also my folder where my downloads go to is now hidden...the folder where i downloaded combofix. I tried to back it up on my computer and when i went to delete some files it just disappeared. Looks like its missing, i know this has happened to me before and i used a program called unhide, but i forgot how that works...SO Im now using the snowleopard side of this computer, which was petitioned to have windows 7 as well (where im having this issue), to be able to go online and continue replying. So what i want to do now is1. removed the virus/malware/rookit.2. be able to go back online.3. recover my missing files.Going to attempt to run malwarebytes scan again, but will wait here for a reply......I would like to save the computer format option as a last resort, thank you. Link to post Share on other sites More sharing options...
mind5150 Posted November 24, 2011 Author ID:497710 Share Posted November 24, 2011 one last note, my AVG now has an error message which pops up everytime i start the computer up, which says there is an unidentified error or something along those lines (I cant remember) and asks me if i would like to report it to find out the problem, but when i agree it fails to do so.....What should i do next? Link to post Share on other sites More sharing options...
Elise Posted November 24, 2011 ID:497774 Share Posted November 24, 2011 Can you please rerun combofix and post me the new log? Link to post Share on other sites More sharing options...
mind5150 Posted November 24, 2011 Author ID:497917 Share Posted November 24, 2011 Hello Elise,I ran the combofix again this morning, and again the prompt came up saying that i was running on mcafee and that i should turn it off, however i dont have mcafee on my computer...at least to my knowledge, did a search and found some lingering files from when i did have it, but now .exe mcafee file or anything like that. Did not find it in the icon tray as well. Combofix prompt said run combofix at your own risk...i clicked continue anyway. Deleted my AVG as well and ran combofix. Below is the log along with the same log as an attach on this post. UPDATE:- As of right now, my computer will not connect to the internet, under my network it says "Limited Access", so i just disconnected it manually.- All of my programs are no longer working, anything with .exe does not work, firefox, malwarebytes, etc. when i try to open a program a prompt will come up saying the file location of the program along with:"Illegal operation attempted on a registry key that has been marked for deletion."This virus/malware/rookit or whatever seems to be getting worse and worse by the minute. I have no clue what else to do. Malwarebytes no longer runs due to the problem mentioned above. I am now in the process of backing up my files in case i need to format my computer.....*SIGH* What else is there left to do?? Thank you for your help thus far Elise, you are greatly appreciated. Happy thanksgiving to you and yours.ComboFix 11-11-23.03 - Alvin Lau 11/24/2011 9:07.3.8 - x86Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2036.1041 [GMT -8:00]Running from: F:\ComboFix.exeAV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))..2011-11-24 17:12 . 2011-11-24 17:12 -------- d-----w- c:\users\Public\AppData\Local\temp2011-11-24 17:12 . 2011-11-24 17:12 -------- d-----w- c:\users\Default\AppData\Local\temp2011-11-24 17:12 . 2011-11-24 17:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp2011-11-23 04:16 . 2011-11-24 17:12 -------- d-----w- c:\users\Alvin Lau\AppData\Local\temp2011-11-23 04:03 . 2009-07-13 23:11 53760 ----a-w- c:\windows\system32\drivers\intelppm.sys2011-11-09 04:24 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys2011-11-09 04:23 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll2011-11-09 04:23 . 2011-09-29 04:20 2339840 ----a-w- c:\windows\system32\win32k.sys2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\aZZ99hTTXwjCeIB2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\XpppmGG5sQJ6EKf2011-11-05 15:02 . 2011-11-05 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\cBBBrzzPN2011-11-05 15:01 . 2011-11-09 15:02 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\ZVVVellOBtzPyc12011-11-05 15:01 . 2011-11-05 15:01 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\gIIIVrrlONtx0uS2011-11-05 15:01 . 2011-11-05 15:01 -------- d-----w- c:\users\Alvin Lau\AppData\Roaming\kyyycAA1ivD2nFp2011-10-26 11:54 . 2011-08-15 04:25 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-11-13 21:51 . 2010-02-07 19:01 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe2011-11-13 21:51 . 2010-02-07 19:01 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll2011-10-01 02:59 . 2011-10-13 03:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb2011-09-01 00:00 . 2011-06-02 13:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-08-27 04:43 . 2011-10-13 04:01 571904 ----a-w- c:\windows\system32\oleaut32.dll2011-08-27 04:43 . 2011-10-13 04:01 233472 ----a-w- c:\windows\system32\oleacc.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2010-09-29 05:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712].[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-10-29 7862816]"Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" [2009-09-22 156672]"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjIwMDAwMzI5LUZMMTArMS1YTzEwKzExLUxJQysyLUNJUCsyLUxTRCsyLUREVCszNjg5NC1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQU4rMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEJOKzEtRjEwTTEyQisx∏=90&ver=10.0.1411" [?].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\utilman.lnk - c:\users\Alvin Lau\AppData\Local\utilman.exe [N/A].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux6"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]2009-09-05 09:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe.R1 SASDIFSV;SASDIFSV;c:\users\ALVINL~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]R1 SASKUTIL;SASKUTIL;c:\users\ALVINL~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-10 25112]R3 RDID1078;Fantom G;c:\windows\system32\Drivers\rdwm1078.sys [2009-09-18 145792]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]S3 e1qexpress;Intel® PRO/1000 PCI Express Network Connection Driver Q;c:\windows\system32\DRIVERS\e1q6032.sys [2009-07-13 190464]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WindowsMobile REG_MULTI_SZ wcescomm rapimgrLocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr..------- Supplementary Scan -------.IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\Alvin Lau\AppData\Roaming\Mozilla\Firefox\Profiles\y96fpzoo.default\FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-usFF - prefs.js: browser.startup.homepage - www.google.comFF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - falseFF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true..**************************************************************************.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 6.1.7600 Disk: WDC_WD6400AAKS-41H2B0 rev.07.04C07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-6 .device: opened successfullyuser: MBR read successfullykernel: MBR read successfullyuser != kernel MBR !!! sectors 1250263695 (+0): user != kernel.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(3228)c:\users\Alvin Lau\AppData\Local\FLVService\lib\FLVSrvLib.dll.Completion time: 2011-11-24 09:13:35ComboFix-quarantined-files.txt 2011-11-24 17:13ComboFix2.txt 2011-11-23 04:23ComboFix3.txt 2011-05-10 19:00.Pre-Run: 21,472,272,384 bytes freePost-Run: 21,295,820,800 bytes free.- - End Of File - - 03EEA7414878393224BBCD8399C3E3BEComboFix Log2.txt Link to post Share on other sites More sharing options...
Elise Posted November 24, 2011 ID:497921 Share Posted November 24, 2011 Please restart your computer once, that should resolve the problem. Let me know if connection is back after a restart and how things are running. Link to post Share on other sites More sharing options...
mind5150 Posted November 24, 2011 Author ID:497941 Share Posted November 24, 2011 After restart programs seem to be running as normal, however connection to internet is still not available. Where the signal bars are there is an "!" saying that i have "Limited Access" still. I am currently using another computer to write back as this is the computer that in hooked up to the modem and router. The computer with the issues is connected via wireless router. Can it be some settings or should i change router passwords? Reinstall router? Ran malwarebytes again after restart (quick scan) and under 4 minutes said there was no infection...did not post log, but will do so if asked. Link to post Share on other sites More sharing options...
Elise Posted November 25, 2011 ID:498099 Share Posted November 25, 2011 Can you try to wire your computer to the router and see if it connects that way? By doing so we can determine whether or not the problem is located in the wireless settings. Link to post Share on other sites More sharing options...
mind5150 Posted November 25, 2011 Author ID:498110 Share Posted November 25, 2011 Im working on a tower computer which is in another room of the house and i do not have cables long enough to do that...however every other device in the house seems to be working, my phone, laptop, xbox, and even the tower computer that i'm having the issues with while on snow leopard. I petitioned the computer to have both snow leopard and windows 7...while using windows 7 this is where the problems persists. This is where the malware/ virus was, now it would seem i removed them, i'm still having problems connecting to the internet due to this "limited access" while only on windows 7, all other devices work, i do not think its the router, i think the malware/virus may have changed some of my settings ...any other suggestions? Link to post Share on other sites More sharing options...
Elise Posted November 26, 2011 ID:498297 Share Posted November 26, 2011 Then lets verify all internet related files and services. Please download Farbar Service Scanner and run it on the computer with the issue.Make sure "Include All Files" option remains checked.Press "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Link to post Share on other sites More sharing options...
mind5150 Posted November 30, 2011 Author ID:499558 Share Posted November 30, 2011 Hello Elisesorry for the delayed response, below is the txt log from fss...i made sure the include all files was checked off, but the scan took literally less than a few seconds....i dont know if that is how its supposed to work. Anyway here is the log, please take a look and tell me what you think..thanks!Farbar Service Scanner Ran by Alvin Lau (administrator) on 29-11-2011 at 21:14:33Windows 7 Professional (X86)********************************************************Service Check:==============Dhcp Service is not running. Checking service configuration:The start type of Dhcp service is OK.The ImagePath of Dhcp service is OK.The ServiceDll of Dhcp service is OK.Dnscache Service is not running. Checking service configuration:The start type of Dnscache service is OK.The ImagePath of Dnscache service is OK.The ServiceDll of Dnscache service is OK.tdx Service is not running. Checking service configuration:Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.File Check:===========C:\Windows\system32\svchost.exe => MD5 is legitC:\Windows\system32\rpcss.dll => MD5 is legitC:\Windows\system32\nsisvc.dll => MD5 is legitC:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legitC:\Windows\system32\dhcpcore.dll => MD5 is legitC:\Windows\system32\Drivers\afd.sys[2011-06-15 22:41] - [2011-04-24 18:35] - 0338944 ____A (Microsoft Corporation) 0DB7A48388D54D154EBEC120461A0FCDC:\Windows\system32\Drivers\tdx.sys => MD5 is legitC:\Windows\system32\Drivers\tcpip.sys[2011-11-08 20:24] - [2011-09-29 07:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79CC:\Windows\system32\dnsrslvr.dll[2011-04-13 23:02] - [2011-03-02 21:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9Connection Status:==================Localhost is accessible.LAN connected.Google IP is accessible.Yahoo IP is accessible.**** End of log **** Link to post Share on other sites More sharing options...
Elise Posted November 30, 2011 ID:499577 Share Posted November 30, 2011 That is normal. The scan ran okay and also showed the problem. One of the services required for internet connection has been deleted from the registry and has to be recreated.BACKUP THE REGISTRY---------------------------Backup Your Registry with ERUNTPlease download EruntRun the setup program to install ERUNT on your computerClick Erunt.exe to backup your registry to the folder of your choice.Note: to restore your registry, go to the folder and start ERDNT.exeWe Need to Run a Registry ScriptPress the Windows Logo in the lower left corner of your screen.In the box, enter notepad and press Enter.Highlight the contents of the following codebox, and copy and paste that text into notepad.Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx]"DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004""Group"="PNP_TDI""ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,64,00,78,00,2e,00,73,00,79,\00,73,00,00,00"ErrorControl"=dword:00000001"Start"=dword:00000001"Tag"=dword:00000004"Type"=dword:00000001"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00"Description"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx\Enum]"0"="Root\\LEGACY_TDX\\0000""Count"=dword:00000001"NextInstance"=dword:00000001Select File -> Save.Press the Desktop button on the left side of the save dialog.In the box, type in Fix.reg.Press .Close Notepad.Double click on your desktop.Press Yes if prompted by User Account Control.Press Yes, and then Ok, when prompted.Right click on and choose Delete.Press Yes.When done, restart your computer and let me know if the internet is working. Link to post Share on other sites More sharing options...
mind5150 Posted December 5, 2011 Author ID:501431 Share Posted December 5, 2011 Ok, my internet is working now, and everything seems to be working...i had deleted my AVG during this process....what kind of anti virus do you recommend i install? Any good free ones out there? THANK YOU SOOOOOO MUCH ELISE! Link to post Share on other sites More sharing options...
Elise Posted December 5, 2011 ID:501444 Share Posted December 5, 2011 Hi, I'm glad to hear its working fine now! You already have an antivirus installed apparently (McAfee), so if you want to install another one, you'll need to uninstall your current AV. A few good free AVs are Avira Antivir, Avast or Microsoft Security Essentials.P2P WARNING-------------------Going over your logs I noticed that you have BitTorrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.It is pretty much certain that if you continue to use P2P programs, you will get infected again.I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.If you wish to keep it, please do not use it until your computer is cleaned.Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Download the latest version of Java Runtime Environment (JRE) Version 7u1.Look for "JDK 7u1 (JDK or JRE).Click the "Download JRE" button at the right.Read the License Agreement, and then check the box that says: "Accept License Agreement".Select "Windows x86 Offline" and click on jre-7-windows-i586.exe [*]Save it to your desktop[*]Close any programs you may have running - especially your web browser.[*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).[*]Reboot your computer once all Java components are removed.[*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.Please launch MBAM, update it and run a full scan. Post me the resulting log together with a description of any remaining problem. Link to post Share on other sites More sharing options...
mind5150 Posted December 10, 2011 Author ID:503385 Share Posted December 10, 2011 Hello Elise,I deleted my AVG because there was too much extra stuff going on, installed Microsoft Security Essentials which is less of an annoyance on my computer, also picked up a few threats on my computer so far and claimed removed them. Deleted bit torrent, which i never use and have no clue how it got on here...also downloaded the java update like the one you said to do and follow instructions as per your post. After everything was done, updated malwarebytes and did a full scan...below is the log...please take a look when you have time and let me know what you think. Thank you so much, sorry for the late response by the way...Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8348Windows 6.1.7600Internet Explorer 8.0.7600.1638512/10/2011 12:26:28 PMmbam-log-2011-12-10 (12-26-28).txtScan type: Full scan (C:\|)Objects scanned: 523541Time elapsed: 1 hour(s), 14 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Elise Posted December 10, 2011 ID:503394 Share Posted December 10, 2011 That looks good, do you have any problem left at this point?Please click Start > All Programs > Windows Update and install all recommended updates including Service Pack 1 for Windows 7.ESET ONLINE SCANNER----------------------------I'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings from your browser.Under scan settings, check "Scan Archives" and "Remove found threats" Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technology[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.[*]When the scan completes, click List Threats[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.[*]Click the Back button.[*]Click the Finish button. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 21, 2011 Staff ID:507709 Share Posted December 21, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
mind5150 Posted December 31, 2011 Author ID:511781 Share Posted December 31, 2011 Hello, yes im still here...i will do the last steps as soon as i can, i have not been to my computer in a few days because of the holidays...will post latest report soon Link to post Share on other sites More sharing options...
Recommended Posts