Jump to content

system trying to connect remotely while disconnected from internet


RandJ

Recommended Posts

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Browse... button
  • Navigate to the file c:\windows\system32\drivers\qbpy.sys or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Next,

Please download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
    RKLicence.png
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
    RK1A.png
  • When the scan completes select Report, copy and paste that to your reply.
    RK2A.png
  • The log should be found in RKreport
  • .txt on your Desktop
  • Exit/Close RogueKiller

Kevin

Link to post
Share on other sites

(it seems to have stripped the images... would you like me to copy/paste differently or anything)

I wasn't sure if you wanted just the one tab or what you needed for results so here are all the tabs.

SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516 SHA1: aabbd57e20d2e7041f9e7abce6cfd8a53c366537 MD5: e6d35f3aa51a65eb35c1f2340154a25e File size: 52.8 KB ( 54016 bytes ) File name: qbpy.sys File type: Win32 EXE Detection ratio: 1 / 46 Analysis date: 2013-01-11 01:49:54 UTC ( 0 minutes ago )

https://chart.google...0,100&chd=t:-53

1

20

Less details

Antivirus Result Update Agnitum - 20130110 AhnLab-V3 - 20130110 AntiVir - 20130107 Antiy-AVL - 20130110 Avast - 20130111 AVG - 20130111 BitDefender - 20130111 ByteHero - 20130110 CAT-QuickHeal - 20130110 ClamAV - 20130111 Commtouch - 20130111 Comodo - 20130111 DrWeb - 20130111 Emsisoft - 20130111 eSafe Win32.TrojanHorse 20130110 ESET-NOD32 - 20130110 F-Prot - 20130110 F-Secure - 20130110 Fortinet - 20130111 GData - 20130111 Ikarus - 20130111 Jiangmin - 20121221 K7AntiVirus - 20130110 Kaspersky - 20130110 Kingsoft - 20130107 Malwarebytes - 20130111 McAfee - 20130111 McAfee-GW-Edition - 20130111 Microsoft - 20130111 MicroWorld-eScan - 20130111 NANO-Antivirus - 20130111 Norman - 20130110 nProtect - 20130110 Panda - 20130110 PCTools - 20130110 Rising - 20130110 Sophos - 20130110 SUPERAntiSpyware - 20130111 Symantec - 20130111 TheHacker - 20130109 TotalDefense - 20130108 TrendMicro - 20130111 TrendMicro-HouseCall - 20130111 VBA32 - 20130109 VIPRE - 20130111 ViRobot - 20130110

/static/img/wait.gif contains the text string:

c:\applications\windowsddk\src\myprojects\avenger\objfre_wxp_x86\i386\avenger.pdb

this is part of a combofix like tool that mbam will use and occasionaly leave behind

Posted 3 months, 1 week ago by samwise

/static/img/wait.gif VARIANTE DE SIREFEF (ZEROACCESS)

controlado a partir de ELISIREF 1.96

www.satinfo.es

Posted 7 months, 2 weeks ago by SATINFO

/static/img/wait.gif Confirmed by MBAM as part of their toolkit here: http://forums.malwar...16&fromsearch=1

#goodware

Posted 11 months ago by Equanimity

/static/img/wait.gif #hupigon

Posted 1 year, 2 months ago by Kruis

/static/img/wait.gif #hupigon

Posted 1 year, 2 months ago by Kruis

/static/img/wait.gif #hupigon

Posted 1 year, 2 months ago by Kruis

/static/img/wait.gif Malwarebytes driver for malware removal. Search the MD5 checksum online to see the legitimate history.

#goodware #hupigon

Posted 1 year, 2 months ago by anonymous

/static/img/wait.gif Malwarebytes driver for malware removal. Search the MD5 checksum online to see the legitimate history.

#goodware #hupigon

Posted 1 year, 2 months ago by anonymous

/static/img/wait.gif #malware

Posted 1 year, 3 months ago by anonymous

/static/img/wait.gif #malware #rootkit #hupigon

Posted 1 year, 4 months ago by anonymous

/static/img/wait.gif Rootkit

#malware #spamattachmentorlink #impropagating #networkworm #rootkit #hupigon

Posted 1 year, 4 months ago by Kruis

/static/img/wait.gif #malware #rootkit #hupigon

Posted 1 year, 5 months ago by anonymous

/static/img/wait.gif #malware #rootkit #hupigon

Posted 1 year, 5 months ago by anonymous

/static/img/wait.gif I'm not running avenger on my system. This file hid a data file in one of the MS update uninstall directories. I highly doubt a legit entry would create a Current Control Set 002 entry pointing to an MS install directory with a random name file linked from a ket named --> byhaugxk

#malware #rootkit

Posted 1 year, 9 months ago by anonymous

/static/img/wait.gif Avenger protection

#goodware #rootkit

Posted 1 year, 9 months ago by styx

/static/img/wait.gif MBAM drops this. Goodware.

#goodware #rootkit

Posted 1 year, 9 months ago by Equanimity

/static/img/wait.gif Suspect trojan. cleaned system remotely with malwarebytes, avg, etc, removed all detected infections. ran combofix and noticed this file... no info on web on it. was created the day before. do not have avenger on this system. sus on any system file created while cleaning system, and with no updates being installed

#malware

Posted 1 year, 10 months ago by anonymous

/static/img/wait.gif #goodware #rootkit #2928

Posted 1 year, 11 months ago by Dashke

/static/img/wait.gif avenger driver, legitimate tool. Driver is also used by MBAM.

#goodware #rootkit

Posted 2 years ago by anonymous

/static/img/wait.gif #goodware #rootkit

Posted 2 years, 1 month ago by anonymous

/static/img/wait.gif This file is dropped by Malwarebytes' Anti-Malware (malwarebytes.org) when you select to clean an infection. If this file is really malware like some of you say, then how come MBAM drops it?

The file itself as far as I know is in no way malware. It is used by some malware to end protected processes etc, to disable AV products just like it is used by MBAM and others to disable rootkit malware.

#goodware

Posted 2 years, 2 months ago by GDIcommando

/static/img/wait.gif #malware #rootkit #avenger

Posted 2 years, 2 months ago by anonymous

/static/img/wait.gif Legit file.

#goodware #rootkit #avenger

Posted 2 years, 3 months ago by dr_Bora

/static/img/wait.gif SIRI IS CORRECT

This is part of Avenger, a low level driver to remove other malware. Delete it if you wish, Avenger always creates a new random driver when it needs to.

#goodware

Posted 2 years, 3 months ago by anonymous

/static/img/wait.gif Legit tool: Avenger

#goodware #avenger #rootkit

Posted 2 years, 3 months ago by siri

/static/img/wait.gif #malware

Posted 2 years, 3 months ago by LT1

ssdeep

768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCMrhwY

TrID

Clipper DOS Executable (33.3%)

Generic Win/DOS Executable (33.0%)

DOS Executable Generic (33.0%)

VXD Driver (0.5%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

ExifTool

MIMEType.................: application/octet-stream

Subsystem................: Native

MachineType..............: Intel 386 or later, and compatibles

TimeStamp................: 2009:09:02 22:37:57+01:00

FileType.................: Win32 EXE

PEType...................: PE32

CodeSize.................: 49664

LinkerVersion............: 8.0

EntryPoint...............: 0xc505

InitializedDataSize......: 3200

SubsystemVersion.........: 5.1

ImageVersion.............: 6.0

OSVersion................: 6.0

UninitializedDataSize....: 0

Portable Executable structural information

Compilation timedatestamp.....: 2009-09-02 21:37:57

Target machine................: 0x14C (Intel 386 or later processors and compatible processors)

Entry point address...........: 0x0000C505

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5

.text 1152 48543 48640 5.83 9474f39576a0e15bdbaa2ea3355f0a4a

.rdata 49792 294 384 3.78 375b710d9f213cfced30e9fdb29567e1

.data 50176 192 256 0.33 786971ca2b109729eda604b44d6c72ad

INIT 50432 968 1024 5.20 eea49a93a73afb6afc178455582133c6

.reloc 51456 2540 2560 6.62 bddd5a40c508bfc84ec87de5f8e6a5d3

PE Imports....................:

[[ntoskrnl.exe]]

ZwReadFile, RtlInitUnicodeString, ZwOpenKey, ZwCreateFile, swprintf, ZwEnumerateKey, ExAllocatePool, KeSetPriorityThread, DbgPrint, ZwWriteFile, RtlUpcaseUnicodeChar, KeBugCheck, KeTickCount, RtlPrefixUnicodeString, PsGetVersion, PsTerminateSystemThread, KeGetCurrentThread, ZwQueryDirectoryFile, _wcsicmp, ZwDeleteKey, ZwEnumerateValueKey, RtlCheckRegistryKey, ZwQueryValueKey, ExFreePoolWithTag, MmGetSystemRoutineAddress, memcpy, ZwSetInformationFile, RtlDeleteRegistryValue, ZwFlushKey, ZwOpenFile, PsCreateSystemThread, ZwSetValueKey, KeBugCheckEx, KeDelayExecutionThread, RtlWriteRegistryValue, ZwQueryInformationFile, ZwClose

Symantec Reputation

Suspicious.Insight

First seen by VirusTotal

2009-09-18 00:44:25 UTC ( 3 years, 3 months ago )

Last seen by VirusTotal

2013-01-11 01:49:54 UTC ( 11 minutes ago )

File names (max. 25)

  • yaud.sys
  • imofugc.sys
  • ikvpllh.sys
  • tmwk.sys
  • tnqognu.sys
  • rmkgq.sys
  • xvaq.sys
  • vviex.sys
  • xavwaffa.sys
  • threy.sys.vir.vir
  • srbiijn.sys
  • sbkkd.sys
  • etmga.sys
  • ujxm.sys
  • pcqbru.sys
  • eighuh.sys
  • qyvg.sys
  • hqlthbt.sys
  • psesfu.sys
  • qcvjq.sys
  • vxevyvox.sys
  • lvbkoe.sys
  • eytjusg.sys
  • ghaww.sys
  • irxvhuyy.sys\

Exited scanner without cleaning anything and attached report.

RKreport1_S_01102013_02d2105.txt

Link to post
Share on other sites

Thanks for the logs, run the following;

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Here is the log. Thank you again for the help!

Also, in case it is helpful ... Avast was showing up as running but not in the task bar. I launched it from the start menu and it gave a message that it was not working. Sorry, brain fart and I didn't capture or write down the message (ridiculous amount of hypocrisy there BTW). I'm rebooting and reloading avast after posting this since there isn't any AV software without it.

ComboFix 13-01-11.02 - Laptop 01/11/2013 20:48:29.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1110 [GMT -5:00]

Running from: c:\documents and settings\Laptop\Desktop\ComboFix.exe

FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\SET7D.tmp

c:\windows\system32\SET81.tmp

c:\windows\system32\SET82.tmp

c:\windows\system32\SET89.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

H:\autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))

.

.

2013-01-08 22:12 . 2013-01-08 22:12 -------- d-----w- c:\documents and settings\Laptop\.amu

2012-12-28 23:04 . 2012-12-28 23:05 -------- d-----w- c:\documents and settings\Laptop\Application Data\Spotify

2012-12-27 15:43 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\Laptop\Application Data\Visan

2012-12-27 15:41 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan

2012-12-27 15:41 . 2012-12-27 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations

2012-12-27 15:41 . 2012-12-27 15:42 -------- d-----w- c:\program files\HP Photo Creations

2012-12-25 16:06 . 2002-11-12 17:22 569397 ----a-w- c:\program files\Internet Explorer\PLUGINS\RichFX\Player\nprfxins.dll

2012-12-25 16:06 . 2012-12-25 16:09 -------- d-----w- c:\program files\Rhapsody

2012-12-18 14:28 . 2012-12-18 14:28 186584 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 07:55 . 2012-04-10 11:53 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-01-09 07:55 . 2011-07-26 02:36 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-14 21:49 . 2011-07-22 22:36 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-07 23:38 . 2011-06-30 16:38 99080 ----a-w- c:\windows\system32\drivers\inspect.sys

2012-11-07 23:38 . 2011-06-30 16:38 32640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2012-11-07 23:38 . 2011-06-30 16:38 497952 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2012-11-07 23:38 . 2011-06-30 16:38 18096 ----a-w- c:\windows\system32\drivers\cmderd.sys

2012-11-07 23:37 . 2012-11-11 13:08 34024 ----a-w- c:\windows\system32\cmdcsr.dll

2012-11-07 23:37 . 2011-06-30 16:37 301264 ----a-w- c:\windows\system32\guard32.dll

2012-07-14 00:17 . 2012-08-24 11:36 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-07 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-12-03 4763008]

"Amazon Cloud Drive"="c:\documents and settings\Laptop\Local Settings\Application Data\Amazon\Cloud Drive\AmazonCloudDrive.exe" [2012-11-12 646528]

"SansaDispatch"="c:\documents and settings\Laptop\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-07-19 79872]

"MusicManager"="c:\documents and settings\Laptop\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe" [2012-12-10 7416320]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"Persistence"="c:\windows\System32\igfxpers.exe" [2008-02-29 137752]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-02-29 141848]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-02-29 166424]

"EaseUs Watch"="c:\program files\EASEUS\Todo Backup\bin\EuWatch.exe" [2011-04-23 69000]

"EaseUs Tray"="c:\program files\EASEUS\Todo Backup\bin\TrayNotify.exe" [2011-04-26 733576]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]

"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2008-06-02 2220032]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2006-06-29 77824]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]

"SetDefPrt2"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]

"WD Quick View"="c:\program files\Western Digital\WD Quick View\WDDMStatus.exe" [2012-06-14 5235128]

"HipServ Agent"="c:\program files\Roxio Streamer Desktop Applications\HipServAgent\HipServAgent.exe" [2010-06-30 2201000]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]

"CPMonitor"="c:\program files\Roxio 2011\5.0\CPMonitor.exe" [2010-07-14 84464]

"Desktop Disc Tool"="c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe" [2010-06-30 477680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-30 113024]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Motorola Media Link\\Lite\\MML.exe"=

"c:\\Program Files\\Motorola Mobility\\MotoCast\\motocast.exe"=

"c:\\Program Files\\Motorola Mobility\\MotoCast\\bin\\MotoCast-thumbnailer.exe"=

"c:\\Program Files\\Roxio Streamer Desktop Applications\\QuickConnect\\AxentraSmartShortcut.exe"=

"c:\\Program Files\\Roxio Streamer Desktop Applications\\HipServAgent\\HipServAgent.exe"=

"c:\\Program Files\\Roxio\\Roxio Streamer\\ConfigurationWizard\\RoxioStreamer.exe"=

"c:\\Program Files\\Amazon\\Utilities\\Amazon Music Importer\\Amazon Music Importer.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [7/22/2011 5:23 PM 30600]

R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [7/22/2011 5:23 PM 35720]

R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [7/22/2011 5:23 PM 20744]

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/25/2012 8:21 PM 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/25/2012 8:21 PM 15856]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/30/2011 11:38 AM 497952]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/30/2011 11:38 AM 32640]

R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [7/22/2011 5:23 PM 14216]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/25/2012 8:21 PM 25584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/12/2011 4:55 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [5/4/2011 12:54 PM 116608]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200]

R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 1:28 PM 30864]

R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [7/14/2010 3:00 AM 32240]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\Lite\NServiceEntry.exe [6/5/2012 10:48 AM 87400]

R2 Motorola Device Manager;Motorola Device Manager Service;c:\program files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [7/17/2012 3:31 PM 116632]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416]

R2 VBoxDrv;VBox Support Driver;c:\program files\Roxio\Roxio Streamer\VBoxDrv.sys [6/29/2010 11:04 AM 122376]

R2 WDBackup;WD Backup;c:\program files\Western Digital\WD SmartWare\WDBackupEngine.exe [6/14/2012 10:04 AM 1151424]

R2 WDDriveService;WD Drive Manager;c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe [6/14/2012 9:57 AM 248248]

R2 WDRulesService;WD Rules;c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe [6/14/2012 10:04 AM 1177536]

R3 EUDISK;EASEUS Disk Enumerator;c:\windows\system32\drivers\eudisk.sys [7/22/2011 5:23 PM 187528]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [6/29/2010 11:04 AM 108744]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S2 EASEUS Agent;EASEUS Agent;c:\program files\EASEUS\Todo Backup\bin\Agent.exe [7/22/2011 1:16 AM 56200]

S2 HipServ;HipServ for Windows;c:\program files\Roxio\Roxio Streamer\srvstart\srvstart.exe [4/19/2010 12:05 PM 45056]

S2 HipServUsbDetection;USB detection service for HipServ;c:\program files\Roxio\Roxio Streamer\usb_detection.exe [6/22/2010 10:26 AM 15872]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/22/2011 5:38 PM 95232]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [6/17/2011 12:33 PM 237008]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]

S3 MSSQL$NR2005;MSSQL$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 [?]

S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248]

S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 [?]

S3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [12/24/2011 6:44 PM 7424]

S3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [12/24/2011 6:44 PM 170368]

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 07:55]

.

2013-01-07 c:\windows\Tasks\defrag.job

- c:\windows\system32\defrag.exe [2003-07-16 12:42]

.

2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-07 22:18]

.

2013-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-07 22:18]

.

2013-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-706699826-682003330-1004Core.job

- c:\documents and settings\Laptop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-07 22:18]

.

2013-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-706699826-682003330-1004UA.job

- c:\documents and settings\Laptop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-07 22:18]

.

2013-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job

- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2011-11-18 10:11]

.

2013-01-12 c:\windows\Tasks\User_Feed_Synchronization-{810D34D2-7189-4241-8007-60144A5E7F04}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]

.

.

------- Supplementary Scan -------

.

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: ctest.elynx.net\gateway

Trusted Zone: ditechsecuredocs.net\www

Trusted Zone: elynx.com\gateway

Trusted Zone: elynx.net\aegis

Trusted Zone: elynx.net\ctest

Trusted Zone: elynx.net\forms

Trusted Zone: elynx.net\gateway

Trusted Zone: elynx.net\gmacforms

Trusted Zone: elynx.net\pro

Trusted Zone: elynx.net\secure

Trusted Zone: elynx.net\ssctest

Trusted Zone: elynx.net\stest

Trusted Zone: elynx.net\webpost

Trusted Zone: gmacmsecuredocs.net\www

Trusted Zone: ss3.swiftsend.com\loandocs

Trusted Zone: suntrust.com\mtgdocs

Trusted Zone: swiftsend.com\docs

Trusted Zone: swiftsend.com\gateway

Trusted Zone: swiftsend.com\loandocs

Trusted Zone: swiftsend.com\www

Trusted Zone: swiftsend2.com\docs

Trusted Zone: swiftsend2.com\loandocs

Trusted Zone: swiftview.com\products

Trusted Zone: swiftview.com\www

Trusted Zone: us.hsbc.com\mortgage-esign

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\usegnmt4.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/?shva=1#inbox

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-01-11 20:58

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\Laptop\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe??????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1000)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'lsass.exe'(1056)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'csrss.exe'(968)

c:\windows\system32\cmdcsr.dll

.

Completion time: 2013-01-11 21:04:22

ComboFix-quarantined-files.txt 2013-01-12 02:04

.

Pre-Run: 123,686,658,048 bytes free

Post-Run: 126,607,167,488 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 11A2B5E2389F0F27E0579B48E844BE3B

Link to post
Share on other sites

Continue as follows:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those three logs, also give an update on any remainin issues/concerns..

Kevin

Link to post
Share on other sites

The files listed by ESET are on a separate HD, you can delete those entries when you have time...

Next,

Your Java javaicon.gif maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in start > control panel > uninstall a program, ensure any old versions of Java are removed <---- very important...

Next,

Adobe Reader is outdated...

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

Untick the option for McAfee security scanner if offered.

Download and install.

Having the latest updates ensures there are no security vulnerabilities in your system.

Let me know if those steps complete, also let me know if you have any remaining issues/concerns. If all ok we can clea up tools etc in next reply...

Kevin

Link to post
Share on other sites

OK, do the following:

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

We need to remove ESET Online Scanner (If installed).

  • Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
  • Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted

Next,

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Next,

Download tfc_icon.png TFC to your desktop, from either of the following links

http://oldtimer.geekstogo.com/TFC.exe

http://itxassociates.com/OT-Tools/TFC.exe

  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete OK, if no remaining issues or concerns are you ok for the thread to be closed out..

Kevin

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.