Jump to content

Stalker Service


Recommended Posts

Malwarebytes will clean this. Everyday though when I run a virus scan on this computer the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stalker key is infected. What is this and how do I rid of the problem once and for all?

(The registry data policy item is nothing)

Malwarebytes' Anti-Malware 1.36

Database version: 2159

Windows 5.1.2600 Service Pack 2

5/20/2009 2:47:45 PM

mbam-log-2009-05-20 (14-47-45).txt

Scan type: Quick Scan

Objects scanned: 106318

Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stalker (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

This computer is in a corporate environment so there are company policies that run.

Please assist and thank you for your time!

ComboFix 09-05-20.A0 - sgroff 05/21/2009 7:06.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.546 [GMT -5:00]

Running from: c:\documents and settings\sgroff\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\IE4 Error Log.txt

----- BITS: Possible infected sites -----

hxxp://SMCSVR002.scriptpro.com:80

.

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))

.

2009-05-20 19:42 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-20 19:42 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-20 19:42 . 2009-05-20 19:42 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-19 18:27 . 2009-05-19 18:27 -------- d-----w c:\documents and settings\bgatoff\Application Data\Malwarebytes

2009-05-19 17:47 . 2009-05-19 17:47 -------- d-----w c:\documents and settings\Administrator\Application Data\Sunbelt

2009-05-18 20:42 . 2009-05-18 20:42 -------- d-----w c:\documents and settings\sgroff\Application Data\Sunbelt

2009-05-18 20:42 . 2009-05-18 20:42 -------- d-----w c:\documents and settings\sgroff\Application Data\Malwarebytes

2009-05-18 20:30 . 2009-05-18 20:30 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-18 20:30 . 2009-05-18 20:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-29 20:46 . 2009-05-20 20:58 26286 ----a-w c:\windows\system32\SOUNDMAN.EXE

2009-04-22 11:01 . 2009-04-22 11:01 65320 ----a-w c:\windows\system32\sbbd.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-21 12:01 . 2008-07-15 14:13 17408 ----a-w c:\windows\system32\rpcnetp.exe

2009-05-21 12:01 . 2008-07-15 14:16 47104 ----a-w c:\windows\system32\rpcnet.dll

2009-05-19 18:59 . 2008-07-15 14:14 17408 ----a-w c:\windows\system32\rpcnetp.dll

2009-04-20 12:51 . 2007-10-31 15:05 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-31 18:53 . 2009-03-31 18:49 -------- d-----w c:\program files\Microsoft Streets & Trips 2009

2009-03-25 22:55 . 2008-10-10 06:36 33280 ----a-w c:\windows\system32\identprv.dll

2009-03-18 17:34 . 2009-01-06 19:47 45304 ----a-w c:\documents and settings\bgatoff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

"RemovePrinters"="\\scriptpro\netlogon\tools\RemoveNetworkPrinters.vbs" [2009-01-06 760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-21 8433664]

"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2007-07-21 49152]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"TosAutLk"="c:\program files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe" [2006-11-21 110592]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 18:14 258048]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2007-07-14 90112]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-04-22 664872]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-07-21 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-12 16125440]

"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2007-03-28 622592]

"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2007-02-02 110592]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-07-26 315392]

"TFncKy"="TFncKy.exe" [bU]

"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 10:28 24576]

"NDSTray.exe"="NDSTray.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-10-31 1528880]

Printkey.lnk - c:\program files\PrintKey\Printkey2000.exe [2007-10-31 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoAutoUpdate"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoStartMenuMyMusic"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=JavaRun.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1279460819-1203809207-3694018598-14932\Scripts\Logon\0\0]

"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1279460819-1203809207-3694018598-14932\Scripts\Logon\1\0]

"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1279460819-1203809207-3694018598-2293\Scripts\Logon\0\0]

"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1279460819-1203809207-3694018598-9279\Scripts\Logon\0\0]

"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"pinger"=2 (0x2)

"Swupdtmr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\SOUNDMAN.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 11:19 AM 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 4:23 PM 6528]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [12/13/2006 2:34 AM 39080]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [4/15/2009 4:04 PM 202928]

R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [10/31/2007 9:48 AM 5888]

R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [10/31/2007 9:48 AM 126976]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [10/31/2007 7:56 AM 1489688]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/19/2006 9:28 PM 36608]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [10/30/2007 2:20 PM 435072]

S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [4/22/2009 6:01 AM 894248]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]

S3 stalker;stalker;\??\c:\windows\system32\SOUNDMAN.EXE:stalker.sys --> c:\windows\system32\SOUNDMAN.EXE:stalker.sys [?]

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://intranet/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: monsvr004

Trusted Zone: scriptpro.com

Trusted Zone: webex.com

Trusted Zone: monsvr004

Trusted Zone: scriptpro.com

Trusted Zone: webex.com

DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} - hxxp://sea.scriptpro.com/callcenter_enu/19227/applets/SiebelAx_OutBound_mail.cab

DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxp://sea.scriptpro.com/callcenter_enu/19227/applets/SiebelAx_Desktop_Integration.cab

DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} - hxxp://sea.scriptpro.com/callcenter_enu/19227/applets/SiebelAx_HI_Client.cab

DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} - hxxp://sea.scriptpro.com/callcenter_enu/19227/applets/SiebelAx_Gantt_Chart.cab

DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}

DPF: {E60E7240-603F-4A3E-AF3D-01DD401D7348} - hxxp://sea.scriptpro.com/callcenter_enu/19227/applets/SiebelAx_CTI_Toolbar.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.monsvr004

O15 - Trusted Zone: *.scriptpro.com

O15 - Trusted Zone: *.webex.com

O15 - Trusted Zone: http://*.monsvr004 (HKLM)

O15 - Trusted Zone: *.scriptpro.com (HKLM)

O15 - Trusted Zone: *.webex.com (HKLM)

O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://sea.scriptpro.com/callcenter_enu/19...tBound_mail.cab

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://sea.scriptpro.com/callcenter_enu/19...Integration.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sea.scriptpro.com/callcenter_enu/19...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sea.scriptpro.com/callcenter_enu/19...Gantt_Chart.cab

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -

O16 - DPF: {E60E7240-603F-4A3E-AF3D-01DD401D7348} (Siebel Callcenter Communications Toolbar) - http://sea.scriptpro.com/callcenter_enu/19...CTI_Toolbar.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scriptpro.com

O17 - HKLM\Software\..\Telephony: DomainName = scriptpro.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scriptpro.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scriptpro.com

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe

O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\system32\slpservice.exe

O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe

O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--

End of file - 11004 bytes

Service Pack 2 5 21 2009 07:14:30.375

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver iaStor.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver TVALZ.SYS

Loaded driver Thpevm.SYS

Loaded driver thpdrv.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\smsmdm.sys

Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys

Loaded driver \SystemRoot\system32\DRIVERS\HECI.sys

Loaded driver \SystemRoot\system32\DRIVERS\e1e5132.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\IFXTPM.SYS

Loaded driver \SystemRoot\system32\DRIVERS\serial.sys

Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\tdcmdpst.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\tosrfec.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\Drivers\tosrfcom.sys

Loaded driver \SystemRoot\system32\DRIVERS\dne2000.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\tosporte.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\system32\DRIVERS\TEchoCan.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS

Loaded driver \SystemRoot\System32\drivers\psd.sys

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\drivers\sbtis.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\Drivers\TMEI3E.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Loaded driver \SystemRoot\system32\DRIVERS\netdevio.sys

Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Did not load driver \SystemRoot\System32\Drivers\Parport.SYS

Loaded driver \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \??\C:\WINDOWS\system32\CCM\prepdrv.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\Drivers\TDTCP.SYS

Loaded driver \SystemRoot\System32\Drivers\RDPWD.SYS

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

ComboFix.txt

ntbtlog.txt

ComboFix.txt

ntbtlog.txt

Link to post
Share on other sites

  • Root Admin

Note, this machine has a RootKit on it. Since it's in a Corporate Environment you really need to decide if you want to clean it or wipe it and rebuild it.

One or more of the identified infections is related to a nasty
rootkit component
which is difficult to remove. Rootkits and
backdoor Trojans
are
very dangerous
because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use
backdoor Trojans
and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately
to include those used for banking, email, eBay, paypal and online forums
from a CLEAN COMPUTER
. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the OS.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Message borrowed from quietman7 with minor wording and link changes

If you do want to attempt to clean it then please run the script below.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Rootkit::
svc32d.exe
svc32d
c:\windows\system32\svc32d.exe

Driver::
stalker

File::
c:\windows\system32\stalker.sys
c:\windows\system32\svc32d.exe

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stalker]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.