Jump to content

Recommended Posts

I am grateful to Malwarebytes for helping me remove the dreaded XP Security 2012 malware. But now I have a new problem with ping.exe.

The following is the DDS log (as requested in other topics on the same problem):

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Ruth\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\PROGRA~1\RINGCE~1\EXTREM~1\RCHotKey.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\Program Files\OLYMPUS\DeviceDetector\DeviceDetector4.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Ruth\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Stickies\stickies.exe

C:\Program Files\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Intuit\QuickBooks 2006\qbw32.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\McAfee Security Scan\2.0.181\McUICnt.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

c:\program files\real\realplayer\RealPlay.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Ruth\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://mail.google.com/mail/?nsr=1&zx=16y8mxrpwu87e&shva=1#inbox/122194e61f7a112c

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111127040301.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\ruth\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [RCUI] "c:\progra~1\ringce~1\extrem~1\RCUI.exe"

uRun: [RCHotKey] "c:\progra~1\ringce~1\extrem~1\RCHotKey.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe

uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [TpShocks] TpShocks.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe

mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\ruth\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ruth\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\ruth\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DeviceDetector4.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\directrecconfig\DirectrecConfigurationTool.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: mswsock.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: plugnpay.com\pay1

Trusted Zone: turbotax.com

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://eversave.coupons.smartsource.com/download/cscmv5X.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 167.206.245.130 167.206.245.129

TCP: Interfaces\{13D67543-108B-439E-B492-62DEECA9E238} : DhcpNameServer = 167.206.245.130 167.206.245.129

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: ACNotify - ACNotify.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: psfus - c:\windows\system32\psqlpwd.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli ACGina psqlpwd

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ruth\application data\mozilla\firefox\profiles\fsykfz6r.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?nsr=1&zx=16y8mxrpwu87e&shva=1#inbox/122194e61f7a112c

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\ruth\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\ruth\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\ruth\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPCltInstall.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 464176]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-14 89792]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-8-1 353168]

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-10-22 386560]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-10-14 10384]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-21 366152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-17 94880]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-14 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-14 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-14 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-14 166288]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-14 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-14 150856]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-14 57600]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-21 22216]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-17 180816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-17 59456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-14 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-14 83856]

R3 Olympus DVR Service;Olympus DVR Service;c:\program files\common files\olympus shared\devicemanager\olydvrsv.exe [2010-5-14 176128]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-3-17 133104]

S2 gupdate1c9a76e93a70c;Google Update Service (gupdate1c9a76e93a70c);c:\program files\google\update\GoogleUpdate.exe [2009-3-17 133104]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-17 133104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-14 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-14 87656]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-17 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-17 40552]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-20 50704]

.

=============== Created Last 30 ================

.

2011-12-21 23:41:11 -------- d---a-w- c:\documents and settings\ruth\application data\WinPatrol

2011-12-21 23:40:43 -------- d-----w- c:\program files\BillP Studios

2011-12-21 23:40:42 -------- d---a-w- c:\documents and settings\all users\application data\InstallMate

2011-12-21 21:13:57 -------- d---a-w- c:\documents and settings\ruth\application data\Malwarebytes

2011-12-21 21:13:48 -------- d---a-w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-21 21:13:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-21 21:13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-21 20:42:42 -------- d---a-w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-12-21 20:42:42 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-12-20 13:14:31 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2011-12-20 13:14:31 281104 ----a-w- c:\windows\system32\wpcap.dll

2011-12-20 13:14:31 100880 ----a-w- c:\windows\system32\Packet.dll

.

==================== Find3M ====================

.

2011-10-15 18:16:16 9608 ------w- c:\windows\system32\drivers\mfeclnk.sys

2011-10-15 18:16:16 89792 ------w- c:\windows\system32\drivers\mfetdi2k.sys

2011-10-15 18:16:16 87656 ------w- c:\windows\system32\drivers\mferkdet.sys

2011-10-15 18:16:16 83856 ------w- c:\windows\system32\drivers\mfendisk.sys

2011-10-15 18:16:16 59456 ------w- c:\windows\system32\drivers\mfebopk.sys

2011-10-15 18:16:16 57600 ------w- c:\windows\system32\drivers\cfwids.sys

2011-10-15 18:16:16 464176 ------w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 18:16:16 338176 ------w- c:\windows\system32\drivers\mfefirek.sys

2011-10-15 18:16:16 180816 ------w- c:\windows\system32\drivers\mfeavfk.sys

2011-10-15 18:16:16 121256 ------w- c:\windows\system32\drivers\mfeapfk.sys

.

============= FINISH: 22:35:47.25 ===============

THANK YOU SO MUCH!!!!!

Link to post
Share on other sites

Welcome to the forum.

-----------------------

Under Vista/Seven, right click -> Run as Administrator for .exes

Download and run RogueKiller:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

Choose 1 and scan the system, post the log.

-------------------

Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Link to post
Share on other sites

Rogue Killer report:

RogueKiller V6.2.0 [12/12/2011] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Ruth [Admin rights]

Mode: Scan -- Date : 12/25/2011 14:33:32

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] SansaDispatch.exe -- C:\Documents and Settings\Ruth\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : SansaDispatch (C:\Documents and Settings\Ruth\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-171955559-3721051965-838984480-1008[...]\Run : SansaDispatch (C:\Documents and Settings\Ruth\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

--- User ---

[MBR] d741225d3e0d530eb561a3ceaaaecacc

[bSP] e9982fde3a3dceda53b475cf67bff373 : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 152839 Mo

1 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 298514160 | Size: 7199 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

------------------------------------------------------------------------------------------------------------

Farbar Service Scanner Report:

Farbar Service Scanner

Ran by Ruth (administrator) on 25-12-2011 at 14:34:35

Microsoft Windows XP Professional Service Pack 3 (X86)

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

AegisP(8) Gpc(6) IPSec(4) mfetdi2k(11) NetBT(5) PSched(7) Tcpip(3) TVTPktFilter(9)

0x0B000000040000000100000002000000030000000B0000000A0000000500000006000000070000000800000009000000

**** End of log ****

Link to post
Share on other sites

logs follow. However, now I cannot run Malwarebytes. I get the following error:

PROGRAM_ERROR_LOAD_DATABASE (2, 2, CreateSDK)

Webroot AntiZeroAccess 0.8 Log File

Execution time: 26/12/2011 - 12:02

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

12:02:06 - CheckSystem - Begin to check system...

12:02:06 - OpenRootDrive - Opening system root volume and physical drive....

12:02:06 - C Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x11CAF6B1 sectors.

12:02:06 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".

12:02:06 - InstallAndStartDriver - Main driver was installed and now is running.

12:02:06 - CheckSystem - Warning! Disk class driver is INFECTED.

12:02:06 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:09 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:09 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:10 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:10 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:10 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:10 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:11 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:11 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:12 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:14 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:16 - CheckFile - Warning! File "mrxsmb.sys" is Infected by ZeroAccess Rootkit.

12:02:17 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:17 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:17 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:19 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:19 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:19 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:02:20 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:20 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:20 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:20 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 234

12:02:21 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:22 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:23 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:02:40 - CheckExecutableEP - Unable to open "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" file. CreateFile last error: 32

12:02:40 - CheckExecutableEP - Unable to open "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" file. CreateFile last error: 32

12:02:40 - CheckExecutableEP - Unable to open "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" file. CreateFile last error: 32

12:02:40 - CheckExecutableEP - Unable to open "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" file. CreateFile last error: 32

12:02:40 - CheckExecutableEP - Unable to open "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" file. CreateFile last error: 32

12:02:46 - DoRepair - Begin to perform system repair....

12:02:46 - DoRepair - System Disk class driver was repaired.

12:02:46 - DoRepair - Infected "mrxsmb.sys" file was renamed.

12:02:46 - DoRepair - Infected "mrxsmb.sys" file was successfully cleaned!

12:02:47 - DoRepair - "desktop.ini" ZeroAccess file NOT found.

12:02:47 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

12:02:47 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

12:02:47 - Execution Ended!

Webroot AntiZeroAccess 0.8 Log File

Execution time: 26/12/2011 - 12:03

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

12:03:25 - CheckSystem - Begin to check system...

12:03:25 - OpenRootDrive - Opening system root volume and physical drive....

12:03:25 - C Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x11CAF6B1 sectors.

12:03:25 - InstallAndStartDriver - Unable to start AntiZeroAccess driver. StartService last error: 1058

12:03:25 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:26 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:26 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:26 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:26 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:27 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:27 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:27 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:27 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:27 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:28 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:29 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:29 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:29 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:29 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:30 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:30 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

12:03:30 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:30 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:30 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:30 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 234

12:03:31 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:31 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:32 - CheckFile - Unable to send IOCTL_VOLUME_LOGICAL_TO_PHYSICAL to system root volume object. DeviceIoControl last error: 87

12:03:32 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

12:03:32 - Execution Ended!

Link to post
Share on other sites

This is a nasty rootkit...lets see what we can do.

Download ComboFix but before you save it...rename it to sega.com

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall /nombr

ComboFix should nw run, give it a half hour or so if there's no activity....stop it and reboot.

ComboFix creates a restore point just before it runs, so if anything goes wrong you can restore the computer back to before it ran.

Let me know, MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.