Another Trojan.Dropper.BCMiner and Rootkit.0Access

[apfinger]

I recently ran a scan and came across the following guys:

Disabled.Cryptsvc, which I read was not a problem, but a symptom of other problems

Rootkit.Zaccess

Rootkit.0access

Trojan.Dropper.BCMiner

Trojan.Agent.BRVGen

Searching other threads, I went ahead and ran some additional scans.

Attached are the scans from DDS, RogueKiller, and FRST.

From what I have read in a previously resolved thread on this issue, I'll need ComboFix and a text file created specifically for my system to attempt a purge of these bad guys. I'm downloading ComboFix as soon as I'm done posting here.

Thank you in advance for your assistance!

Attach.txt

DDS.txt

FRST.txt

RKreport1.txt

Search.txt

[apfinger]

I didn't see an edit option for my first post. My sources are:

http://forums.malwarebytes.org/index.php?showtopic=113756

That's a resolved thread, indicating I will need to run a "Fix" command from FRST before running ComboFix.

http://forums.malwarebytes.org/index.php?showtopic=114358

An open thread which utilizes RogueKiller thus far, but no further instructions.

[MrCharlie]

You have it bad:

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[apfinger]

I ran Fix twice - I didn't know that FRST would remove fixlist.txt, so I thought perhaps I forgot to save it to the Flash drive. However, I did view the contents of the initial Fixlog.txt. The two "not found" in the attached file were actually successfully moved.

Should I go forward to run ComboFix after ensuring any anti-virus / blockers are disabled?

Fixlog.txt

[MrCharlie]

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[apfinger]

I've run TDSSKiller.exe and rebooted. Attached is a zip file of the 3 logs generated.

TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip

[MrCharlie]

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

12:49:44.0640 1608 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

12:49:44.0640 1608 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~~~~~

Then...................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[apfinger]

Thanks so far. I'll check back in after lunch with the log. Maybe I'll be able to contribute once this is all cleared up. However, after reading up on this malware, I think it best not to set up a PayPal acct until I'm sure the system is clean!

[apfinger]

I had to reboot once due to the message popup indicating something about illegal operation attempted on registry.

The website will not allow me to attach the log file. Here is a paste:

ComboFix 12-08-16.01 - Andy 08/16/2012 13:32:20.1.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2873 [GMT -5:00]

Running from: c:\users\Andy\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))

.

.

2012-08-16 17:49 . 2012-08-16 18:26 -------- d-----w- C:\TDSSKiller_Quarantine

2012-08-13 05:06 . 2012-08-13 05:06 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-11 09:25 . 2012-08-11 09:25 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\offreg.dll

2012-08-10 06:52 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-16 17:54 . 2012-08-16 17:54 28460 ----a-w- C:\TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip

2012-08-02 01:43 . 2012-05-07 06:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-02 01:43 . 2011-05-16 12:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 18:46 . 2011-06-09 11:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-12 02:40 . 2012-07-12 08:01 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-06-06 05:05 . 2012-07-11 08:07 1390080 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 05:05 . 2012-07-11 08:07 1236992 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 05:03 . 2012-07-11 08:07 805376 ----a-w- c:\windows\system32\cdosys.dll

2012-06-02 22:19 . 2012-06-24 04:42 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-24 04:42 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-24 04:42 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-24 04:42 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-24 04:42 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-24 04:42 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-24 04:42 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19 . 2012-06-24 04:41 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:12 . 2012-06-24 04:41 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33 . 2012-07-12 08:03 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25 . 2012-07-12 08:03 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25 . 2012-07-12 08:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20 . 2012-07-12 08:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16 . 2012-07-12 08:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 04:45 . 2012-07-11 08:07 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 04:45 . 2012-07-11 08:07 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 04:40 . 2012-07-11 08:07 369336 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 04:40 . 2012-07-11 08:07 225280 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 04:39 . 2012-07-11 08:07 219136 ----a-w- c:\windows\system32\ncrypt.dll

2012-05-31 17:25 . 2011-04-30 14:42 237072 ------w- c:\windows\system32\MpSigStub.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk

backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]

path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WinEQ2.exe - Shortcut.lnk]

path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinEQ2.exe - Shortcut.lnk

backup=c:\windows\pss\WinEQ2.exe - Shortcut.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT]

start AMD Accelerated Video Transcoding device initialization [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]

2011-08-23 20:03 50592 ----a-w- c:\users\Andy\AppData\Roaming\mjusbsp\cdloader2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

2010-03-19 00:17 19456 ----a-w- c:\windows\System32\CtHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2007-04-09 17:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2009-09-24 00:30 173592 ----a-w- c:\windows\System32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2009-09-24 00:30 141848 ----a-w- c:\windows\System32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]

2010-05-26 00:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-09-24 00:30 150552 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2012-04-06 06:24 641664 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

.

R0 jihhnci;jihhnci;c:\windows\System32\drivers\odcvs.sys [x]

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [x]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [x]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [x]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [x]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [x]

R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 MSICDSetup;MSICDSetup;D:\CDriver.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

R4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R4 MSSQL$SQLSERVER2008ER2;SQL Server (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\sqlservr.exe [x]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]

R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]

R4 SQLAgent$SQLSERVER2008ER2;SQL Server Agent (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\SQLAGENT.EXE [x]

R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [x]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [x]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 192.168.10.1

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-33771034.sys

MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe

MSConfigStartUp-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:57,b3,8b,89,7c,c5,cc,01

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

.

**************************************************************************

.

Completion time: 2012-08-16 13:55:36 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-16 18:55

.

Pre-Run: 128,179,048,448 bytes free

Post-Run: 129,291,276,288 bytes free

.

- - End Of File - - 88D9DBDFC5DF6E8DA0EEAE382CFAF722

[MrCharlie]

Using ComboFix again.......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\System32\drivers\odcvs.sys

Driver::

jihhnci

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[apfinger]

Again, the server returned an error during upload (combofixlog2.txt as well as a zipped version)

ComboFix 12-08-16.01 - Andy 08/16/2012 15:15:02.2.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2684 [GMT -5:00]

Running from: c:\users\Andy\Desktop\ComboFix.exe

Command switches used :: c:\users\Andy\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

FILE ::

"c:\windows\System32\drivers\odcvs.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_jihhnci

.

.

((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))

.

.

2012-08-16 20:25 . 2012-08-16 20:25 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-16 20:23 . 2012-08-16 20:23 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\offreg.dll

2012-08-16 17:49 . 2012-08-16 18:26 -------- d-----w- C:\TDSSKiller_Quarantine

2012-08-13 05:06 . 2012-08-13 05:06 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-10 06:52 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-16 17:54 . 2012-08-16 17:54 28460 ----a-w- C:\TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip

2012-08-02 01:43 . 2012-05-07 06:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-02 01:43 . 2011-05-16 12:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-03 18:46 . 2011-06-09 11:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-12 02:40 . 2012-07-12 08:01 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-06-06 05:05 . 2012-07-11 08:07 1390080 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 05:05 . 2012-07-11 08:07 1236992 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 05:03 . 2012-07-11 08:07 805376 ----a-w- c:\windows\system32\cdosys.dll

2012-06-02 22:19 . 2012-06-24 04:42 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-24 04:42 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-24 04:42 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-24 04:42 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2012-06-24 04:42 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:12 . 2012-06-24 04:42 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12 . 2012-06-24 04:42 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19 . 2012-06-24 04:41 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:12 . 2012-06-24 04:41 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 08:33 . 2012-07-12 08:03 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25 . 2012-07-12 08:03 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25 . 2012-07-12 08:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20 . 2012-07-12 08:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16 . 2012-07-12 08:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 04:45 . 2012-07-11 08:07 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 04:45 . 2012-07-11 08:07 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 04:40 . 2012-07-11 08:07 369336 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 04:40 . 2012-07-11 08:07 225280 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 04:39 . 2012-07-11 08:07 219136 ----a-w- c:\windows\system32\ncrypt.dll

2012-05-31 17:25 . 2011-04-30 14:42 237072 ------w- c:\windows\system32\MpSigStub.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk

backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]

path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WinEQ2.exe - Shortcut.lnk]

path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinEQ2.exe - Shortcut.lnk

backup=c:\windows\pss\WinEQ2.exe - Shortcut.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT]

start AMD Accelerated Video Transcoding device initialization [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]

2011-08-23 20:03 50592 ----a-w- c:\users\Andy\AppData\Roaming\mjusbsp\cdloader2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

2010-03-19 00:17 19456 ----a-w- c:\windows\System32\CtHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2007-04-09 17:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2009-09-24 00:30 173592 ----a-w- c:\windows\System32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2009-09-24 00:30 141848 ----a-w- c:\windows\System32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]

2010-05-26 00:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-09-24 00:30 150552 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2012-04-06 06:24 641664 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

.

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [x]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [x]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [x]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [x]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [x]

R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 MSICDSetup;MSICDSetup;D:\CDriver.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

R4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R4 MSSQL$SQLSERVER2008ER2;SQL Server (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\sqlservr.exe [x]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]

R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]

R4 SQLAgent$SQLSERVER2008ER2;SQL Server Agent (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\SQLAGENT.EXE [x]

R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [x]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [x]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 192.168.10.1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:57,b3,8b,89,7c,c5,cc,01

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

.

**************************************************************************

.

Completion time: 2012-08-16 16:49:18 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-16 21:49

ComboFix2.txt 2012-08-16 18:55

.

Pre-Run: 129,362,882,560 bytes free

Post-Run: 129,122,095,104 bytes free

.

- - End Of File - - D9356C2C9D3AD2324D978D96D411A921

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[apfinger]

The scan completed, but there was a popup from Malwarebytes Anti-Malware:

{OpenEvent} Failed to perform desired action. Error Code: 2

I don't know if it's a problem or a result of other programs starting up after a fresh reboot (a couple auto-updaters started up once they detected Internet access again).

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.16.10

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Andy :: ANDY-PC [administrator]

Protection: Enabled

8/16/2012 5:50:37 PM

mbam-log-2012-08-16 (17-50-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 194584

Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[MrCharlie]

How is it??? MrC

[apfinger]

Seems OK so far - the web isn't effectively shut down anymore and I haven't gotten any random popups yet. You can probably call this case closed, and I'll reopen it only if I see the symptoms again today or tomorrow. Thanks! Assuming all is well for a couple days, I hope to have a PayPal safely set up so I can contribute to MalwareBytes. Sure beats dropping the PC off at a shop for 3 days only to be charged for a Diag and Format!

[MrCharlie]

OK

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassociates.com/OT-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.