Jump to content

Problems with Trojan.Agent.Nix


Recommended Posts

Hello,

My machine has been running slowly. I ran MBAM and it came back with one file for Trojan.Agent.Nix and deleted it. I continue to have issues. All help is greatly appreciated. Here are my logs:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.10.2

Run by Sean at 9:18:51 on 2013-01-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2911.1850 [GMT -7:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Enabled*

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\UnsignedThemesSvc.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\VAIO Mode Switch\VMSwitch.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Ask.com\Updater\Updater.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.sony.com/vaiopeople

uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Alcmtr] ALCMTR.EXE

mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [VMSwitch] "c:\program files\sony\vaio mode switch\VMSwitch.exe"

mRun: [switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"

mRun: [iSBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:8

mPolicies-Explorer: NoDriveTypeAutoRun = dword:8

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1330379357604

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1330450271265

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{3A2311CE-9425-4304-A2A7-3E2C8375C02A} : DHCPNameServer = 192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\sean\application data\mozilla\firefox\profiles\37abi1vi.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=27D92EA7-30B7-45D9-A375-4844EB6ED8F5&apn_ptnrs=TV&apn_sauid=65EBD9D7-F1BC-49A7-A9CE-5FB65ED896A3&apn_dtid=OSJ000YYUS&&q=

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll

FF - ExtSQL: 2013-01-04 15:26; toolbar@ask.com; c:\documents and settings\sean\application data\mozilla\firefox\profiles\37abi1vi.default\extensions\toolbar@ask.com

.

============= SERVICES / DRIVERS ===============

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-7-29 22560]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2012-2-27 353168]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]

R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]

R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-7-29 71296]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-31 106656]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-29 41216]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-1-5 40776]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130103.003\NAVENG.SYS [2013-1-3 92704]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130103.003\NAVEX15.SYS [2013-1-3 1601184]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-7-29 14336]

.

=============== Created Last 30 ================

.

2013-01-05 00:13:15 -------- d-----w- c:\documents and settings\sean\application data\Malwarebytes

2013-01-05 00:13:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-01-05 00:13:06 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-05 00:13:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-04 22:26:09 -------- d-----w- c:\program files\Ask.com

2013-01-04 22:26:06 -------- d-----w- c:\documents and settings\sean\local settings\application data\AskToolbar

2013-01-04 22:24:38 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-01-04 22:24:31 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-01-04 22:15:57 -------- d-----w- c:\documents and settings\all users\application data\Ask

2012-12-10 00:02:21 -------- d-----w- c:\documents and settings\sean\application data\AC3Filter

.

==================== Find3M ====================

.

2013-01-04 22:24:12 779704 ----a-w- c:\windows\system32\deployJava1.dll

2013-01-04 22:20:43 859072 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-12 03:20:23 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-12 03:20:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-08 23:27:14 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys

.

============= FINISH: 9:19:24.32 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 2/27/2012 2:41:23 PM

System Uptime: 1/5/2013 9:04:28 AM (0 hours ago)

.

Motherboard: Sony Corporation | | VAIO

Processor: Intel Pentium III Xeon processor | N/A | 2259/266mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 25.134 GiB free.

D: is Removable

E: is Removable

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP100: 10/7/2012 10:07:05 AM - System Checkpoint

RP101: 10/9/2012 4:01:27 PM - System Checkpoint

RP102: 10/10/2012 8:31:02 PM - System Checkpoint

RP103: 10/12/2012 5:29:18 PM - System Checkpoint

RP104: 10/13/2012 8:55:34 PM - System Checkpoint

RP105: 10/14/2012 9:31:19 PM - System Checkpoint

RP106: 10/16/2012 3:59:17 PM - System Checkpoint

RP107: 10/17/2012 4:14:47 PM - System Checkpoint

RP108: 10/18/2012 6:44:41 PM - System Checkpoint

RP109: 10/20/2012 1:49:40 PM - System Checkpoint

RP110: 10/21/2012 2:30:11 PM - System Checkpoint

RP111: 10/22/2012 7:53:22 PM - System Checkpoint

RP112: 10/25/2012 6:19:35 PM - System Checkpoint

RP113: 10/26/2012 7:52:49 PM - System Checkpoint

RP114: 10/28/2012 8:48:46 AM - System Checkpoint

RP115: 10/29/2012 9:28:26 AM - System Checkpoint

RP116: 10/30/2012 4:54:26 PM - System Checkpoint

RP117: 10/31/2012 6:27:32 PM - System Checkpoint

RP118: 11/1/2012 6:57:25 PM - System Checkpoint

RP119: 11/2/2012 7:24:22 PM - System Checkpoint

RP120: 11/3/2012 7:11:32 PM - System Checkpoint

RP121: 11/6/2012 5:49:27 PM - System Checkpoint

RP122: 11/7/2012 5:59:05 PM - System Checkpoint

RP123: 11/8/2012 6:17:23 PM - System Checkpoint

RP124: 11/11/2012 8:13:48 AM - System Checkpoint

RP125: 11/13/2012 3:51:49 PM - System Checkpoint

RP126: 11/14/2012 4:11:49 PM - System Checkpoint

RP127: 11/15/2012 4:33:24 PM - System Checkpoint

RP128: 11/17/2012 11:35:07 AM - System Checkpoint

RP129: 11/22/2012 12:43:58 PM - System Checkpoint

RP130: 11/23/2012 1:24:36 PM - System Checkpoint

RP131: 11/24/2012 2:24:37 PM - System Checkpoint

RP132: 11/25/2012 3:25:41 PM - System Checkpoint

RP133: 11/26/2012 4:25:42 PM - System Checkpoint

RP134: 11/27/2012 5:44:01 PM - System Checkpoint

RP135: 11/29/2012 4:35:13 PM - System Checkpoint

RP136: 11/30/2012 4:47:00 PM - System Checkpoint

RP137: 12/2/2012 9:25:06 AM - System Checkpoint

RP138: 12/3/2012 7:27:47 PM - System Checkpoint

RP139: 12/4/2012 7:43:08 PM - System Checkpoint

RP140: 12/6/2012 3:38:05 PM - System Checkpoint

RP141: 12/7/2012 4:17:34 PM - System Checkpoint

RP142: 12/8/2012 4:58:33 PM - System Checkpoint

RP143: 12/9/2012 5:01:39 PM - System Checkpoint

RP144: 12/10/2012 5:12:40 PM - System Checkpoint

RP145: 12/11/2012 6:23:09 PM - System Checkpoint

RP146: 12/15/2012 10:16:16 AM - System Checkpoint

RP147: 12/16/2012 10:47:26 AM - System Checkpoint

RP148: 12/17/2012 10:54:03 AM - System Checkpoint

RP149: 12/18/2012 6:43:06 PM - System Checkpoint

RP150: 12/19/2012 7:09:21 PM - System Checkpoint

RP151: 12/20/2012 7:47:58 PM - System Checkpoint

RP152: 12/21/2012 8:09:21 PM - System Checkpoint

RP153: 12/22/2012 9:09:21 PM - System Checkpoint

RP154: 12/23/2012 9:10:20 PM - System Checkpoint

RP155: 12/24/2012 10:09:08 PM - System Checkpoint

RP156: 12/25/2012 11:09:08 PM - System Checkpoint

RP157: 12/27/2012 12:09:08 AM - System Checkpoint

RP158: 12/28/2012 1:09:08 AM - System Checkpoint

RP159: 12/29/2012 2:15:48 AM - System Checkpoint

RP160: 12/30/2012 2:23:38 AM - System Checkpoint

RP161: 12/31/2012 3:09:08 AM - System Checkpoint

RP162: 1/1/2013 4:09:08 AM - System Checkpoint

RP163: 1/2/2013 5:09:08 AM - System Checkpoint

RP164: 1/3/2013 6:09:09 AM - System Checkpoint

RP165: 1/4/2013 7:09:08 AM - System Checkpoint

RP166: 1/4/2013 3:14:54 PM - Installed Java 7 Update 10

RP167: 1/4/2013 3:17:09 PM - Removed Java 7 Update 7

RP168: 1/4/2013 3:17:30 PM - Installed Java 7 Update 10

RP169: 1/4/2013 3:20:16 PM - Removed Java 7 Update 10

RP170: 1/4/2013 3:20:37 PM - Installed Java 7 Update 10

RP171: 1/4/2013 3:22:43 PM - Removed Java 7 Update 10

RP172: 1/4/2013 3:23:15 PM - Removed JavaFX 2.1.1

RP173: 1/4/2013 3:24:06 PM - Installed Java 7 Update 10

.

==== Installed Programs ======================

.

µTorrent

AC3Filter 2.1a

Adobe Flash Player 11 Plugin

Adobe Flash Player 9 ActiveX

Adobe Reader X (10.1.4)

Advanced SystemCare 4

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

Ask Toolbar Updater

ATI - Software Uninstall Utility

ATI Display Driver

Battery Care Function

Bonjour

Combined Community Codec Pack 2011-11-11

Compatibility Pack for the 2007 Office system

DivX Setup

Freenet

HDAUDIO SoftV92 Data Fax Modem with SmartCP

High Definition Audio Driver Package - KB835221

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

HP Officejet 6500 E710a-f Basic Device Software

HP Officejet 6500 E710a-f Help

Intel PROSet Wireless

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless WiFi Software

InterVideo WinDVD for VAIO

ISScript

iTunes

Java 7 Update 10

Java Auto Updater

Juniper Networks Setup Client

Juniper Networks Setup Client Activex Control

Juniper Terminal Services Client

LiveUpdate 3.3 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.70.0.1100

Memory Stick Icon

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 17.0.1 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser

Realtek High Definition Audio Driver

Roxio Central Audio

Roxio Central Copy

Roxio Central Core

Roxio Central Data

Roxio Central Tools

Roxio Easy Media Creator 10 LJ

Roxio Easy Media Creator Home

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2647516)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Setting Utility Series

Sony Certificate PCH

Sony Utilities DLL

Sony Visual Communication Camera Ver.6.103.215.0

Symantec Endpoint Protection

Synaptics Pointing Device Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows Internet Explorer 8 (KB2632503)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2641690)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

UxStyle Core Beta

VAIO Control Center

VAIO Event Service

VAIO Long Battery Life Wallpaper

VAIO Mode Switch

VAIO Power Management

VAIO Registration

VAIOSurveySA

VC80CRTRedist - 8.0.50727.6195

WebFldrs XP

WIDCOMM Bluetooth Software

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 7 Multilingual User Interface (MUI)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR 4.11 (32-bit)

Wireless Switch Setting Utility

.

==== Event Viewer Messages From Past Week ========

.

1/4/2013 3:12:06 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

.

==== End Of File ===========================

Thank you,

Sean Kuhlman

Link to post
Share on other sites

  • Staff

Please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
    • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Link to post
Share on other sites

Thank you for the fast reply. I had to run this in safe mode with networking, I couldn't get it to run otherwise. Requested info follows:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-05 16:28:50

-----------------------------

16:28:50.296 OS Version: Windows 5.1.2600 Service Pack 3

16:28:50.296 Number of processors: 2 586 0x1706

16:28:50.296 ComputerName: PROBLEMBRO UserName: Sean

16:28:55.937 Initialize success

16:33:02.734 AVAST engine defs: 13010501

16:33:13.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

16:33:13.328 Disk 0 Vendor: Hitachi_ FB2O Size: 152627MB BusType: 3

16:33:13.328 Disk 1 \Device\Harddisk1\DR2 -> \Device\00000088

16:33:13.343 Disk 1 Vendor: RICOH 01 Size: 152627MB BusType: 0

16:33:13.359 Disk 2 \Device\Harddisk2\DR3 -> \Device\00000084

16:33:13.359 Disk 2 Vendor: RICOH 02 Size: 152627MB BusType: 0

16:33:13.390 Disk 0 MBR read successfully

16:33:13.390 Disk 0 MBR scan

16:33:13.406 Disk 0 Windows XP default MBR code

16:33:13.421 Disk 0 MBR hidden

16:33:13.437 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 152625 MB offset 63

16:33:13.453 Disk 0 scanning sectors +312576705

16:33:13.531 Disk 0 scanning C:\WINDOWS\system32\drivers

16:33:25.343 Service scanning

16:33:49.515 Modules scanning

16:33:55.390 Disk 0 trace - called modules:

16:33:55.421 ntoskrnl.exe CLASSPNP.SYS disk.sys shpf.sys ACPI.sys hal.dll >>UNKNOWN [0x869164b1]<<

16:33:55.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aaec748]

16:33:55.484 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> [0x8aaecd10]

16:33:55.515 5 shpf.sys[f78abcdd] -> nt!IofCallDriver -> \Device\0000007d[0x8a560448]

16:33:55.546 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a55f030]

16:33:55.593 \Driver\iaStor[0x8695d860] -> IRP_MJ_CREATE -> 0x869164b1

16:33:56.375 AVAST engine scan C:\WINDOWS

16:34:05.296 AVAST engine scan C:\WINDOWS\system32

16:36:14.781 AVAST engine scan C:\WINDOWS\system32\drivers

16:36:27.125 AVAST engine scan C:\Documents and Settings\Sean

16:43:18.578 AVAST engine scan C:\Documents and Settings\All Users

16:43:39.187 Scan finished successfully

17:00:58.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sean\Desktop\MBR.dat"

17:00:58.875 The log file has been saved successfully to "C:\Documents and Settings\Sean\Desktop\aswMBR.txt"

MBR.zip

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

Thanks again CatByte.

There were problems the first time I ran it so I have three logs. Here are all of them:

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2013.01.06.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Sean :: PROBLEMBRO [administrator]

1/5/2013 7:06:20 PM

mbar-log-2013-01-05 (19-06-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 26463

Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Bootstrap_0_0_57_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Rootkit.Pihar.c.MBR) -> Delete on reboot.

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Sector_0_312581556_user.mbam (Forged physical sector) -> Delete on reboot.

(end)

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2013.01.06.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Sean :: PROBLEMBRO [administrator]

1/5/2013 7:21:51 PM

mbar-log-2013-01-05 (19-21-51).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 26453

Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.259000 GHz

Memory total: 3052277760, free: 2653655040

------------ Kernel report ------------

01/05/2013 18:54:38

------------ Loaded modules -----------

\WINDOWS\system32\ntoskrnl.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

ohci1394.sys

\WINDOWS\system32\DRIVERS\1394BUS.SYS

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

ACPIEC.sys

\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

VolSnap.sys

iaStor.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

shpf.sys

Mup.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk51x86.sys

\SystemRoot\system32\DRIVERS\NETw5x32.sys

\SystemRoot\system32\DRIVERS\risdptsk.sys

\SystemRoot\system32\DRIVERS\rimsptsk.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\IFXTPM.SYS

\SystemRoot\System32\Drivers\SonyNC.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\teefer2.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\framebuf.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR3

Upper Device Object: 0xffffffff8694bab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000086\

Lower Device Object: 0xffffffff89e6f028

Lower Device Driver Name: \Driver\rimsptsk\

Driver name found: rimsptsk

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR2

Upper Device Object: 0xffffffff86957ab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000008a\

Lower Device Object: 0xffffffff86b05c20

Lower Device Driver Name: \Driver\risdptsk\

Driver name found: risdptsk

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8aaea568

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: Unknown

Lower Device Object: 0xffffffff8aa9b030

Lower Device Driver Name: Unknown

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2013.01.06.01

Downloaded database version: v2013.01.04.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8aaea568, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8aaea288, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8aaea568, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8aaeab30, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff8a543f18, DeviceName: \Device\0000007f\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8aa9b030, DeviceName: Unknown, DriverName: Unknown

------------ End ----------

Upper DeviceData: 0xffffffffe13c3290, 0xffffffff8aaea568, 0xffffffff8658a040

Lower DeviceData: 0xffffffffe115ad88, 0xffffffff8aa9b030, 0xffffffff866a84e8

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [177b10df776cbf12774e7e6927767e44]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 4D128E91

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 57 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312576642

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-56-312561808-312581808)...

Sector 312581556 --> [Forged physical sector]

Sector 312581557 --> [Forged physical sector]

Sector 312581558 --> [Forged physical sector]

Sector 312581559 --> [Forged physical sector]

Sector 312581560 --> [Forged physical sector]

Sector 312581561 --> [Forged physical sector]

Sector 312581562 --> [Forged physical sector]

Sector 312581563 --> [Forged physical sector]

Sector 312581564 --> [Forged physical sector]

Sector 312581565 --> [Forged physical sector]

Sector 312581566 --> [Forged physical sector]

Sector 312581567 --> [Forged physical sector]

Sector 312581568 --> [Forged physical sector]

Sector 312581569 --> [Forged physical sector]

Sector 312581570 --> [Forged physical sector]

Sector 312581571 --> [Forged physical sector]

Sector 312581572 --> [Forged physical sector]

Sector 312581573 --> [Forged physical sector]

Sector 312581574 --> [Forged physical sector]

Sector 312581575 --> [Forged physical sector]

Sector 312581576 --> [Forged physical sector]

Sector 312581577 --> [Forged physical sector]

Sector 312581578 --> [Forged physical sector]

Sector 312581579 --> [Forged physical sector]

Sector 312581580 --> [Forged physical sector]

Sector 312581581 --> [Forged physical sector]

Sector 312581582 --> [Forged physical sector]

Sector 312581583 --> [Forged physical sector]

Sector 312581584 --> [Forged physical sector]

Sector 312581585 --> [Forged physical sector]

Sector 312581586 --> [Forged physical sector]

Sector 312581587 --> [Forged physical sector]

Sector 312581588 --> [Forged physical sector]

Sector 312581589 --> [Forged physical sector]

Sector 312581590 --> [Forged physical sector]

Sector 312581591 --> [Forged physical sector]

Sector 312581592 --> [Forged physical sector]

Sector 312581593 --> [Forged physical sector]

Sector 312581594 --> [Forged physical sector]

Sector 312581595 --> [Forged physical sector]

Sector 312581596 --> [Forged physical sector]

Sector 312581597 --> [Forged physical sector]

Sector 312581598 --> [Forged physical sector]

Sector 312581599 --> [Forged physical sector]

Sector 312581600 --> [Forged physical sector]

Sector 312581601 --> [Forged physical sector]

Sector 312581602 --> [Forged physical sector]

Sector 312581603 --> [Forged physical sector]

Sector 312581604 --> [Forged physical sector]

Sector 312581605 --> [Forged physical sector]

Sector 312581606 --> [Forged physical sector]

Sector 312581607 --> [Forged physical sector]

Sector 312581608 --> [Forged physical sector]

Sector 312581609 --> [Forged physical sector]

Sector 312581610 --> [Forged physical sector]

Sector 312581611 --> [Forged physical sector]

Sector 312581612 --> [Forged physical sector]

Sector 312581613 --> [Forged physical sector]

Sector 312581614 --> [Forged physical sector]

Sector 312581615 --> [Forged physical sector]

Sector 312581616 --> [Forged physical sector]

Sector 312581617 --> [Forged physical sector]

Sector 312581618 --> [Forged physical sector]

Sector 312581619 --> [Forged physical sector]

Sector 312581620 --> [Forged physical sector]

Sector 312581621 --> [Forged physical sector]

Sector 312581622 --> [Forged physical sector]

Sector 312581623 --> [Forged physical sector]

Sector 312581624 --> [Forged physical sector]

Sector 312581625 --> [Forged physical sector]

Sector 312581626 --> [Forged physical sector]

Sector 312581627 --> [Forged physical sector]

Sector 312581628 --> [Forged physical sector]

Sector 312581629 --> [Forged physical sector]

Sector 312581630 --> [Forged physical sector]

Sector 312581631 --> [Forged physical sector]

Sector 312581632 --> [Forged physical sector]

Sector 312581633 --> [Forged physical sector]

Sector 312581634 --> [Forged physical sector]

Sector 312581635 --> [Forged physical sector]

Sector 312581636 --> [Forged physical sector]

Sector 312581637 --> [Forged physical sector]

Sector 312581638 --> [Forged physical sector]

Sector 312581639 --> [Forged physical sector]

Sector 312581640 --> [Forged physical sector]

Sector 312581641 --> [Forged physical sector]

Sector 312581642 --> [Forged physical sector]

Sector 312581643 --> [Forged physical sector]

Sector 312581644 --> [Forged physical sector]

Sector 312581645 --> [Forged physical sector]

Sector 312581646 --> [Forged physical sector]

Sector 312581647 --> [Forged physical sector]

Sector 312581648 --> [Forged physical sector]

Sector 312581649 --> [Forged physical sector]

Sector 312581650 --> [Forged physical sector]

Sector 312581651 --> [Forged physical sector]

Sector 312581652 --> [Forged physical sector]

Sector 312581653 --> [Forged physical sector]

Sector 312581654 --> [Forged physical sector]

Sector 312581655 --> [Forged physical sector]

Sector 312581656 --> [Forged physical sector]

Sector 312581657 --> [Forged physical sector]

Sector 312581658 --> [Forged physical sector]

Sector 312581659 --> [Forged physical sector]

Sector 312581660 --> [Forged physical sector]

Sector 312581661 --> [Forged physical sector]

Sector 312581662 --> [Forged physical sector]

Sector 312581663 --> [Forged physical sector]

Sector 312581664 --> [Forged physical sector]

Sector 312581665 --> [Forged physical sector]

Sector 312581666 --> [Forged physical sector]

Sector 312581667 --> [Forged physical sector]

Sector 312581668 --> [Forged physical sector]

Sector 312581669 --> [Forged physical sector]

Sector 312581670 --> [Forged physical sector]

Sector 312581671 --> [Forged physical sector]

Sector 312581672 --> [Forged physical sector]

Sector 312581673 --> [Forged physical sector]

Sector 312581674 --> [Forged physical sector]

Sector 312581675 --> [Forged physical sector]

Sector 312581676 --> [Forged physical sector]

Sector 312581677 --> [Forged physical sector]

Sector 312581678 --> [Forged physical sector]

Sector 312581679 --> [Forged physical sector]

Sector 312581680 --> [Forged physical sector]

Sector 312581681 --> [Forged physical sector]

Sector 312581682 --> [Forged physical sector]

Sector 312581683 --> [Forged physical sector]

Sector 312581684 --> [Forged physical sector]

Sector 312581685 --> [Forged physical sector]

Sector 312581686 --> [Forged physical sector]

Sector 312581687 --> [Forged physical sector]

Sector 312581688 --> [Forged physical sector]

Sector 312581689 --> [Forged physical sector]

Sector 312581690 --> [Forged physical sector]

Sector 312581691 --> [Forged physical sector]

Sector 312581692 --> [Forged physical sector]

Sector 312581693 --> [Forged physical sector]

Sector 312581694 --> [Forged physical sector]

Sector 312581695 --> [Forged physical sector]

Sector 312581696 --> [Forged physical sector]

Sector 312581697 --> [Forged physical sector]

Sector 312581698 --> [Forged physical sector]

Sector 312581699 --> [Forged physical sector]

Sector 312581700 --> [Forged physical sector]

Sector 312581701 --> [Forged physical sector]

Sector 312581702 --> [Forged physical sector]

Sector 312581703 --> [Forged physical sector]

Sector 312581704 --> [Forged physical sector]

Sector 312581705 --> [Forged physical sector]

Sector 312581706 --> [Forged physical sector]

Sector 312581707 --> [Forged physical sector]

Sector 312581708 --> [Forged physical sector]

Sector 312581709 --> [Forged physical sector]

Sector 312581710 --> [Forged physical sector]

Sector 312581711 --> [Forged physical sector]

Sector 312581712 --> [Forged physical sector]

Sector 312581713 --> [Forged physical sector]

Sector 312581714 --> [Forged physical sector]

Sector 312581715 --> [Forged physical sector]

Sector 312581716 --> [Forged physical sector]

Sector 312581717 --> [Forged physical sector]

Sector 312581718 --> [Forged physical sector]

Sector 312581719 --> [Forged physical sector]

Sector 312581720 --> [Forged physical sector]

Sector 312581721 --> [Forged physical sector]

Sector 312581722 --> [Forged physical sector]

Sector 312581723 --> [Forged physical sector]

Sector 312581724 --> [Forged physical sector]

Sector 312581725 --> [Forged physical sector]

Sector 312581726 --> [Forged physical sector]

Sector 312581727 --> [Forged physical sector]

Sector 312581728 --> [Forged physical sector]

Sector 312581729 --> [Forged physical sector]

Sector 312581730 --> [Forged physical sector]

Sector 312581731 --> [Forged physical sector]

Sector 312581732 --> [Forged physical sector]

Sector 312581733 --> [Forged physical sector]

Sector 312581734 --> [Forged physical sector]

Sector 312581735 --> [Forged physical sector]

Sector 312581736 --> [Forged physical sector]

Sector 312581737 --> [Forged physical sector]

Sector 312581738 --> [Forged physical sector]

Sector 312581739 --> [Forged physical sector]

Sector 312581740 --> [Forged physical sector]

Sector 312581741 --> [Forged physical sector]

Sector 312581742 --> [Forged physical sector]

Sector 312581743 --> [Forged physical sector]

Sector 312581744 --> [Forged physical sector]

Sector 312581745 --> [Forged physical sector]

Sector 312581746 --> [Forged physical sector]

Sector 312581747 --> [Forged physical sector]

Sector 312581748 --> [Forged physical sector]

Sector 312581749 --> [Forged physical sector]

Sector 312581750 --> [Forged physical sector]

Sector 312581751 --> [Forged physical sector]

Sector 312581752 --> [Forged physical sector]

Sector 312581753 --> [Forged physical sector]

Sector 312581754 --> [Forged physical sector]

Sector 312581755 --> [Forged physical sector]

Sector 312581756 --> [Forged physical sector]

Sector 312581757 --> [Forged physical sector]

Sector 312581758 --> [Forged physical sector]

Sector 312581759 --> [Forged physical sector]

Sector 312581760 --> [Forged physical sector]

Sector 312581761 --> [Forged physical sector]

Sector 312581762 --> [Forged physical sector]

Sector 312581763 --> [Forged physical sector]

Sector 312581764 --> [Forged physical sector]

Sector 312581765 --> [Forged physical sector]

Sector 312581766 --> [Forged physical sector]

Sector 312581767 --> [Forged physical sector]

Sector 312581768 --> [Forged physical sector]

Sector 312581769 --> [Forged physical sector]

Sector 312581770 --> [Forged physical sector]

Sector 312581771 --> [Forged physical sector]

Sector 312581772 --> [Forged physical sector]

Sector 312581773 --> [Forged physical sector]

Sector 312581774 --> [Forged physical sector]

Sector 312581775 --> [Forged physical sector]

Sector 312581776 --> [Forged physical sector]

Sector 312581777 --> [Forged physical sector]

Sector 312581778 --> [Forged physical sector]

Sector 312581779 --> [Forged physical sector]

Sector 312581780 --> [Forged physical sector]

Sector 312581781 --> [Forged physical sector]

Sector 312581782 --> [Forged physical sector]

Sector 312581783 --> [Forged physical sector]

Sector 312581784 --> [Forged physical sector]

Sector 312581785 --> [Forged physical sector]

Sector 312581786 --> [Forged physical sector]

Sector 312581787 --> [Forged physical sector]

Sector 312581788 --> [Forged physical sector]

Sector 312581789 --> [Forged physical sector]

Sector 312581790 --> [Forged physical sector]

Sector 312581791 --> [Forged physical sector]

Sector 312581792 --> [Forged physical sector]

Sector 312581793 --> [Forged physical sector]

Sector 312581794 --> [Forged physical sector]

Sector 312581795 --> [Forged physical sector]

Sector 312581796 --> [Forged physical sector]

Sector 312581797 --> [Forged physical sector]

Sector 312581798 --> [Forged physical sector]

Sector 312581799 --> [Forged physical sector]

Sector 312581800 --> [Forged physical sector]

Sector 312581801 --> [Forged physical sector]

Sector 312581802 --> [Forged physical sector]

Sector 312581803 --> [Forged physical sector]

Sector 312581804 --> [Forged physical sector]

Sector 312581805 --> [Forged physical sector]

Sector 312581806 --> [Forged physical sector]

Sector 312581807 --> [Forged physical sector]

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff86957ab8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86a74e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff86957ab8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86a6f9f8, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff86b05c20, DeviceName: \Device\0000008a\, DriverName: \Driver\risdptsk\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff8694bab8, DeviceName: \Device\Harddisk2\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8694b890, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8694bab8, DeviceName: \Device\Harddisk2\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86a74bf0, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff89e6f028, DeviceName: \Device\00000086\, DriverName: \Driver\rimsptsk\

------------ End ----------

Done!

Performing system, memory and registry scan...

Done!

Scan finished

Creating System Restore point...

Could not create restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 1

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.259000 GHz

Memory total: 3052277760, free: 2755686400

------------ Kernel report ------------

01/05/2013 19:11:10

------------ Loaded modules -----------

\WINDOWS\system32\ntoskrnl.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

ohci1394.sys

\WINDOWS\system32\DRIVERS\1394BUS.SYS

compbatt.sys

\WINDOWS\system32\DRIVERS\BATTC.SYS

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

ACPIEC.sys

\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

VolSnap.sys

iaStor.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltmgr.sys

sr.sys

PxHelp20.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

shpf.sys

Mup.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk51x86.sys

\SystemRoot\system32\DRIVERS\NETw5x32.sys

\SystemRoot\system32\DRIVERS\risdptsk.sys

\SystemRoot\system32\DRIVERS\rimsptsk.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\SynTP.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\IFXTPM.SYS

\SystemRoot\System32\Drivers\SonyNC.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\teefer2.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\DRIVERS\ipnat.sys

\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\framebuf.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR4

Upper Device Object: 0xffffffff86b87438

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000008a\

Lower Device Object: 0xffffffff86b87c20

Lower Device Driver Name: \Driver\risdptsk\

Driver name found: risdptsk

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR2

Upper Device Object: 0xffffffff89f0d488

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000086\

Lower Device Object: 0xffffffff89ef7028

Lower Device Driver Name: \Driver\rimsptsk\

Driver name found: rimsptsk

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff8aab14a0

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xffffffff8aab2030

Lower Device Driver Name: \Driver\iaStor\

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff8aab14a0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff8aab11c0, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff8aab14a0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff8aab1a68, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff8a536f18, DeviceName: \Device\0000007f\, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff8aab2030, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xffffffffe1c2dca0, 0xffffffff8aab14a0, 0xffffffff86778040

Lower DeviceData: 0xffffffffe1092b38, 0xffffffff8aab2030, 0xffffffff867cac98

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\WINDOWS\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 4D128E91

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312576642

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160041885696 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff89f0d488, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff89ef6020, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff89f0d488, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff89f0d9f0, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff89ef7028, DeviceName: \Device\00000086\, DriverName: \Driver\rimsptsk\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff86b87438, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86b86020, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff86b87438, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86b879f8, DeviceName: Unknown, DriverName: \Driver\shpf\

DevicePointer: 0xffffffff86b87c20, DeviceName: \Device\0000008a\, DriverName: \Driver\risdptsk\

------------ End ----------

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.259000 GHz

Memory total: 3052277760, free: 2555260928

------------------------------------------------------------------------------------------

I ran everything in safe mode with networking since I was having problems otherwise. Hopefully you've gotten it all taken care of. Please let me know if I should do anything else.

Thanks,

Sean

Link to post
Share on other sites

  • Staff

we have a couple more scans to run to make certain there are no leftovers

this type of infection has the ability to allow access to your system via a "back door", which could possibly compromise any personal information you have on your computer. I can clean the machine but can't guarantee the results. the only way to do that would be to reformat.

Please run the following:

Download ComboFix from the following location:

Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

cfRC_screen_2.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Link to post
Share on other sites

Thank you CatByte. Here is ComboFix.txt:

ComboFix 13-01-05.01 - Sean 01/06/2013 9:33.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2911.2102 [GMT -7:00]

Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\iun6002.exe

c:\windows\setup.exe

c:\windows\system32\MUI\040C\tourstart.exe

c:\windows\system32\MUI\0416\tourstart.exe

c:\windows\system32\MUI\0C0A\tourstart.exe

c:\windows\system32\Thumbs.db

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-12-06 to 2013-01-06 )))))))))))))))))))))))))))))))

.

.

2013-01-06 02:36 . 2013-01-06 02:36 -------- d-----w- c:\windows\LastGood

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\Sean\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-05 00:13 . 2012-12-14 23:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-04 22:26 . 2013-01-04 22:26 -------- d-----w- c:\program files\Ask.com

2013-01-04 22:26 . 2013-01-04 22:26 -------- d-----w- c:\documents and settings\Sean\Local Settings\Application Data\AskToolbar

2013-01-04 22:24 . 2013-01-04 22:24 -------- d-----w- c:\program files\Common Files\Java

2013-01-04 22:24 . 2013-01-04 22:24 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-01-04 22:24 . 2013-01-04 22:24 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-01-04 22:15 . 2013-01-04 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask

2012-12-10 00:02 . 2012-12-10 00:02 -------- d-----w- c:\documents and settings\Sean\Application Data\AC3Filter

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-04 22:24 . 2012-03-06 00:19 779704 ----a-w- c:\windows\system32\deployJava1.dll

2013-01-04 22:20 . 2012-08-19 17:37 859072 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-12 03:20 . 2012-04-15 18:53 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 03:20 . 2012-03-04 15:25 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-08 23:27 . 2012-02-27 22:52 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2012-12-08 14:55 . 2012-02-27 21:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-12-11 1520840]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-14 1032192]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-23 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 141848]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]

"VMSwitch"="c:\program files\Sony\VAIO Mode Switch\VMSwitch.exe" [2008-05-15 534368]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-01 1347584]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-12-11 1573576]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/29/2008 3:10 AM 22560]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2/27/2012 4:08 PM 353168]

R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [7/13/2009 12:07 AM 21096]

R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [7/13/2009 12:07 AM 25448]

R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/29/2008 3:30 AM 71296]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 5:25 PM 106656]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 2:44 AM 41216]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 03:20]

.

2013-01-06 c:\windows\Tasks\ASC4_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2012-02-27 21:46]

.

2012-02-27 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

2012-02-27 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

2013-01-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2012-12-11 02:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sony.com/vaiopeople

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=27D92EA7-30B7-45D9-A375-4844EB6ED8F5&apn_ptnrs=TV&apn_sauid=65EBD9D7-F1BC-49A7-A9CE-5FB65ED896A3&apn_dtid=OSJ000YYUS&&q=

FF - ExtSQL: 2013-01-04 15:26; toolbar@ask.com; c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\extensions\toolbar@ask.com

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-Symantec Antvirus

AddRemove-Memory Stick Icon1.0 - c:\windows\iun6002.exe

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-06 09:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1516)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\VESWinlogon.dll

c:\windows\system32\netprovcredman.dll

.

Completion time: 2013-01-06 09:38:04

ComboFix-quarantined-files.txt 2013-01-06 16:37

.

Pre-Run: 30,643,630,080 bytes free

Post-Run: 31,062,519,808 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 73B2830C9BC44A602ED0A4693141E281

Here is log.txt:

ComboFix 13-01-05.01 - Sean 01/06/2013 9:33.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2911.2102 [GMT -7:00]

Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\iun6002.exe

c:\windows\setup.exe

c:\windows\system32\MUI\040C\tourstart.exe

c:\windows\system32\MUI\0416\tourstart.exe

c:\windows\system32\MUI\0C0A\tourstart.exe

c:\windows\system32\Thumbs.db

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-12-06 to 2013-01-06 )))))))))))))))))))))))))))))))

.

.

2013-01-06 02:36 . 2013-01-06 02:36 -------- d-----w- c:\windows\LastGood

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\Sean\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-05 00:13 . 2012-12-14 23:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-04 22:26 . 2013-01-04 22:26 -------- d-----w- c:\program files\Ask.com

2013-01-04 22:26 . 2013-01-04 22:26 -------- d-----w- c:\documents and settings\Sean\Local Settings\Application Data\AskToolbar

2013-01-04 22:24 . 2013-01-04 22:24 -------- d-----w- c:\program files\Common Files\Java

2013-01-04 22:24 . 2013-01-04 22:24 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-01-04 22:24 . 2013-01-04 22:24 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-01-04 22:15 . 2013-01-04 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ask

2012-12-10 00:02 . 2012-12-10 00:02 -------- d-----w- c:\documents and settings\Sean\Application Data\AC3Filter

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-04 22:24 . 2012-03-06 00:19 779704 ----a-w- c:\windows\system32\deployJava1.dll

2013-01-04 22:20 . 2012-08-19 17:37 859072 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-12 03:20 . 2012-04-15 18:53 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 03:20 . 2012-03-04 15:25 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-08 23:27 . 2012-02-27 22:52 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2012-12-08 14:55 . 2012-02-27 21:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-12-11 1520840]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-14 1032192]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-23 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 141848]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]

"VMSwitch"="c:\program files\Sony\VAIO Mode Switch\VMSwitch.exe" [2008-05-15 534368]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-01 1347584]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-12-11 1573576]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/29/2008 3:10 AM 22560]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2/27/2012 4:08 PM 353168]

R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [7/13/2009 12:07 AM 21096]

R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [7/13/2009 12:07 AM 25448]

R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/29/2008 3:30 AM 71296]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 5:25 PM 106656]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 2:44 AM 41216]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 03:20]

.

2013-01-06 c:\windows\Tasks\ASC4_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2012-02-27 21:46]

.

2012-02-27 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

2012-02-27 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

2013-01-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2012-12-11 02:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sony.com/vaiopeople

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=27D92EA7-30B7-45D9-A375-4844EB6ED8F5&apn_ptnrs=TV&apn_sauid=65EBD9D7-F1BC-49A7-A9CE-5FB65ED896A3&apn_dtid=OSJ000YYUS&&q=

FF - ExtSQL: 2013-01-04 15:26; toolbar@ask.com; c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\extensions\toolbar@ask.com

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-Symantec Antvirus

AddRemove-Memory Stick Icon1.0 - c:\windows\iun6002.exe

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-06 09:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1516)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\VESWinlogon.dll

c:\windows\system32\netprovcredman.dll

.

Completion time: 2013-01-06 09:38:04

ComboFix-quarantined-files.txt 2013-01-06 16:37

.

Pre-Run: 30,643,630,080 bytes free

Post-Run: 31,062,519,808 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 73B2830C9BC44A602ED0A4693141E281

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.4.1 (01.06.2013:2)

OS: Microsoft Windows XP x86

Ran by Administrator on Sun 01/06/2013 at 10:36:07.37

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\apnupdater

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22}

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\conduit

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9

Successfully deleted: [Registry Key-Heur] HKEY_LOCAL_MACHINE\software\classes\Toolbar.CT3072254

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"

Successfully deleted: [Registry Key] "hkey_local_machine\software\asktoolbar"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\0cfe535c35f99574e8340bfa75bf92c2"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\0e12f736682067fde4d1158d5940a82e"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\120dfadeb50841f408f04d2a278f9509"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\1a24b5bb8521b03e0c8d908f5abc0ae6"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\261f213d1f55267499b1f87d0cc3bcf7"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\2b0d56c4f4c46d844a57ffed6f0d2852"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\49d4375fe41653242aea4c969e4e65e0"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6aa0923513360135b272e8289c5f13fa"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6f7467af8f29c134cbbab394eccfde96"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\741b4adf27276464790022c965ab6da8"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\7de196b10195f5647a2b21b761f3de01"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\922525dcc5199162f8935747ca3d8e59"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\9d4f5849367142e4685ed8c25e44c5ed"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\a5875b04372c19545beb90d4d606c472"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\a876d9e80b896ec44a8620248cc79296"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\b66ffab725b92594c986de826a867888"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\bcda179d619b91648538e3394cac94cc"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\d677b1a9671d4d4004f6f2a4469e86ea"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\dd1402a9dd4215a43abde169a41afa0e"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\e36e114a0ead2ad46b381d23ad69cddf"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\ef8e618db3aedfbb384561b5c548f65e"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\products\a28b4d68debaa244eb686953b7074fef"

~~~ Files

Successfully deleted: [File] "C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job"

~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\conduit"

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ask"

Successfully deleted: [Folder] "C:\Program Files\ask.com"

Successfully deleted: [Folder] "C:\WINDOWS\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 01/06/2013 at 10:40:42.02

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ADW cleaner:

# AdwCleaner v2.104 - Logfile created 01/06/2013 at 10:44:30

# Updated 29/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Sean - PROBLEMBRO

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Sean\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\searchplugins\Askcom.xml

Folder Deleted : C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\extensions\toolbar@ask.com

Folder Deleted : C:\Documents and Settings\Sean\Local Settings\Application Data\AskToolbar

Folder Deleted : C:\Documents and Settings\Sean\Local Settings\Application Data\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\APN

Key Deleted : HKCU\Software\Ask.com

Key Deleted : HKCU\Software\AskToolbar

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");

Deleted : user_pref("browser.search.defaultenginename", "Ask.com");

Deleted : user_pref("browser.search.order.1", "Ask.com");

Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_u[...]

*************************

AdwCleaner[s1].txt - [2936 octets] - [06/01/2013 10:44:30]

########## EOF - C:\AdwCleaner[s1].txt - [2996 octets] ##########

MBAM:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.06.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Sean :: PROBLEMBRO [administrator]

1/6/2013 10:53:20 AM

mbam-log-2013-01-06 (10-53-20).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 224677

Time elapsed: 11 minute(s), 17 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ESET:

C:\Documents and Settings\Sean\My Documents\Downloads\cnet_DOS-on-USB_download_zip.exe a variant of Win32/InstallCore.D application

C:\Documents and Settings\Sean\My Documents\Downloads\iLividSetupV1.exe Win32/Toolbar.SearchSuite application

Scan city.

Link to post
Share on other sites

  • Staff

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


File::
C:\Documents and Settings\Sean\My Documents\Downloads\cnet_DOS-on-USB_download_zip.exe
C:\Documents and Settings\Sean\My Documents\Downloads\iLividSetupV1.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please advise how the computer is running now and if there are any outstanding issues

Link to post
Share on other sites

Thank you very much for your help. The machine is running great now. Here's the log:

ComboFix 13-01-05.01 - Sean 01/06/2013 14:05:08.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2911.2116 [GMT -7:00]

Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Sean\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

FILE ::

"c:\documents and settings\Sean\My Documents\Downloads\cnet_DOS-on-USB_download_zip.exe"

"c:\documents and settings\Sean\My Documents\Downloads\iLividSetupV1.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Sean\My Documents\Downloads\cnet_DOS-on-USB_download_zip.exe

c:\documents and settings\Sean\My Documents\Downloads\iLividSetupV1.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-12-06 to 2013-01-06 )))))))))))))))))))))))))))))))

.

.

2013-01-06 18:17 . 2013-01-06 18:17 -------- d-----w- c:\program files\ESET

2013-01-06 17:36 . 2013-01-06 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2013-01-06 17:36 . 2013-01-06 17:36 -------- d-----w- c:\windows\ERUNT

2013-01-06 17:35 . 2013-01-06 17:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2013-01-06 17:35 . 2013-01-06 17:35 -------- d-----w- C:\JRT

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\Sean\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-01-05 00:13 . 2013-01-05 00:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-01-05 00:13 . 2012-12-14 23:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-04 22:24 . 2013-01-04 22:24 -------- d-----w- c:\program files\Common Files\Java

2013-01-04 22:24 . 2013-01-04 22:24 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-01-04 22:24 . 2013-01-04 22:24 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-12-10 00:02 . 2012-12-10 00:02 -------- d-----w- c:\documents and settings\Sean\Application Data\AC3Filter

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-04 22:24 . 2012-03-06 00:19 779704 ----a-w- c:\windows\system32\deployJava1.dll

2013-01-04 22:20 . 2012-08-19 17:37 859072 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-12-12 03:20 . 2012-04-15 18:53 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 03:20 . 2012-03-04 15:25 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-08 14:55 . 2012-02-27 21:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-14 1032192]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-23 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 141848]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]

"VMSwitch"="c:\program files\Sony\VAIO Mode Switch\VMSwitch.exe" [2008-05-15 534368]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-01 1347584]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/29/2008 3:10 AM 22560]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2/27/2012 4:08 PM 353168]

R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [7/13/2009 12:07 AM 21096]

R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [7/13/2009 12:07 AM 25448]

R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/29/2008 3:30 AM 71296]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 5:25 PM 106656]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 2:44 AM 41216]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 03:20]

.

2013-01-06 c:\windows\Tasks\ASC4_PerformanceMonitor.job

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2012-02-27 21:46]

.

2012-02-27 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

2012-02-27 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sony.com/vaiopeople

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\37abi1vi.default\

FF - prefs.js: browser.search.selectedEngine - Google

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-06 14:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1496)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\VESWinlogon.dll

c:\windows\system32\netprovcredman.dll

.

Completion time: 2013-01-06 14:10:18

ComboFix-quarantined-files.txt 2013-01-06 21:10

ComboFix2.txt 2013-01-06 16:38

.

Pre-Run: 30,828,396,544 bytes free

Post-Run: 30,818,394,112 bytes free

.

- - End Of File - - 779C1A51E365E9662C7FC1A27C6DCD9E

Link to post
Share on other sites

  • Staff

We just have some housekeeping to do now,

Please do the following:

You can delete the DDS, JRT, MBAR and aswMBR logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

    [*]Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.