Need advice. MWB and others not running

[rgassist]

I'm helping a friend with their Thinkpad T42 laptop. They are running XP sp3.

They have McAfee Security Center installed.

F-Secure's linux Rescue-CD did not find malware, but reported a few instances of files that could not be scanned.

Within Windows I've disabled McAfee and attempted to run:

F-Secure's blacklight and easyclean

your malwarebytes

and bleepingcomputer's combofix

The first three run for a few seconds and then drop out of memory.

Combofix detected the presence of rootkit activity on first run and asked for a reboot. It has not been able to run for more than a few seconds after starting since the reboot.

Any thoughts?

Thanks,

-Ray

[screen317]

Hi Ray and welcome to Malwarebytes.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

-screen317

[rgassist]

Attaching the

[rgassist]

Attaching the Wind32kDiag.txt file -Ray

Win32kDiag.txt

[rgassist]

Attaching the Wind32kDiag.txt file -Ray

Is there any further information needed? I'm still stuck at the same condition.

[rgassist]

Is there any further information needed? I'm still stuck at the same condition.

Any word on the uploaded file results?

[screen317]

Please exercise some patience. You posted the log at two in the morning; I'm not online 24/7. There is no need to post additional replies; I am notified every time you reply.

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by Swandog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   

   Files to move:
   C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

   
   

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

Next, try updating MBAM, running a Quick Scan, and posting its log.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[rgassist]

Apologies. I'm guessing you all follow up on items as if assigned. Was just seeing responses elsewhere and assumed they were just sort of round-robin'd.

I stepped through the instructions above. I got to the two confirmation prompts, but instead of rebooting, the system froze. No response to mouse movement, and no hard disk activity. Tried Task Manager after about 30 minutes, but no response to that as well. Will it continue running as you desire if I force a non-standard power-down?

Thanks,

-Ray

[screen317]

Will it continue running as you desire if I force a non-standard power-down?

Only one way to find out. B)

Give it a try. See if it produces a log.

-screen317

[rgassist]

Oddly enough, it reports:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

I'll continue with the next steps in your previous posts.

[rgassist]

mwb is running finally! I'll post results here when done (as long as it survives...but it's looking much better) I'll pull the combofix instructions once more and run that through its paces again.

[rgassist]

MWB returned the following:

Malwarebytes' Anti-Malware 1.41

Database version: 2866

Windows 5.1.2600 Service Pack 3

9/28/2009 12:03:24 AM

mbam-log-2009-09-28 (00-03-24).txt

Scan type: Full Scan (C:\|)

Objects scanned: 145953

Time elapsed: 35 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 15

Registry Values Infected: 2

Registry Data Items Infected: 4

Folders Infected: 2

Files Infected: 33

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\rotscxsdkbwrth.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\qwprotect.qwprotectbho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cdb65423-01f2-4caf-b56d-ff0590d26ec7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{cdb65423-01f2-4caf-b56d-ff0590d26ec7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{27c9dd2c-9f0c-4cb8-b631-26b44dfcdef5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2182220d-aa70-4764-b4e6-1f5bba322c9c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2182220d-aa70-4764-b4e6-1f5bba322c9c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\N1 (Rogue.AntiVirus1) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

\\?\globalroot\systemroot\system32\rotscxsdkbwrth.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Delete on reboot.

C:\temp\wintemp\10.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\temp\wintemp\275.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\temp\wintemp\3C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rotscxsdkbwrth.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\oreans32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TWBYRTR0\dj230982[1].exe (Trojan.Otlard) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZKIUOGUT\file[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxbxxtputock.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxcchxjipmkp.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxcepegeexcv.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxctqxnxbiwq.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxntiporxiqd.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxpsmqfplqio.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxqpciqxyrbq.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxtoievmtivf.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxuyfwklikbc.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxvnmbffnxpb.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxvrxtivkpjk.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxwpiyfwbdwp.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\rotscxxtpetjwqpx.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\logon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rotscxamvnfedx.dat (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\rotscxcoqtjwqg.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\rotscxdrxjsals.dat (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\rotscxyuhddtye.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\rotscxfdktkkyi.sys (Rootkit.TDSS) -> Delete on reboot.

[rgassist]

Combofix completed, generating the following information below. I'll download the current hijaakthis and run it shortly.

ComboFix 09-09-25.01 - Administrator 09/28/2009 0:59.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.687 [GMT -7:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\LOG104.tmp

C:\LOG12E.tmp

C:\LOG16.tmp

C:\LOG1E9.tmp

C:\LOG22.tmp

C:\LOG26E.tmp

C:\LOG332.tmp

C:\LOG4B.tmp

C:\LOG4DE.tmp

C:\LOG5C.tmp

C:\LOG6.tmp

C:\LOG66B.tmp

C:\LOG7C.tmp

C:\LOGA4.tmp

C:\LOGC2.tmp

C:\LOGDF.tmp

C:\LOGF5.tmp

c:\windows\system32\.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_OREANS32

-------\Legacy_rotscxwyojnddm

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_oreans32

-------\Service_rotscxwyojnddm

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-27 08:41 . 2009-09-27 08:44 -------- d-----w- c:\temp\Win32kDiag

2009-09-27 04:26 . 2009-09-27 04:26 -------- d-----w- c:\temp\combofix

2009-09-27 04:07 . 2009-09-27 04:07 -------- d-----w- c:\temp\easyclean

2009-09-27 04:07 . 2009-09-27 04:08 -------- d-----w- c:\temp\blacklight

2009-09-27 04:02 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-27 04:02 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-27 04:02 . 2009-09-28 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-27 03:45 . 2009-09-27 15:36 -------- d--h--w- c:\windows\PIF

2009-09-27 03:27 . 2009-09-27 03:41 -------- d-----w- c:\program files\MWB-Bad-RG

2009-09-27 03:14 . 2009-09-27 03:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-27 03:14 . 2009-09-27 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-27 03:13 . 2009-09-27 03:13 -------- d-----w- c:\temp\malwarebytes

2009-09-27 02:44 . 2009-09-28 07:03 -------- d-----w- c:\temp\wintemp

2009-09-26 23:20 . 2009-09-27 08:41 -------- d-----w- C:\temp

2009-09-04 23:00 . 2007-11-22 13:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-04 23:00 . 2007-12-02 19:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-04 23:00 . 2007-11-22 13:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-04 23:00 . 2007-11-22 13:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-04 23:00 . 2007-11-22 13:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-04 22:59 . 2007-07-13 13:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-09-04 22:58 . 2009-09-04 22:59 -------- d-----w- c:\program files\McAfee.com

2009-09-04 22:58 . 2009-09-07 21:45 -------- d-----w- c:\program files\Common Files\McAfee

2009-09-04 21:51 . 2009-09-04 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor

2009-09-04 20:21 . 2009-09-04 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2009-09-04 20:16 . 2009-09-04 20:16 -------- d-----w- c:\program files\Citrix

2009-09-04 20:15 . 2009-09-04 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Citrix

2009-09-04 20:15 . 2009-09-04 20:15 61224 ----a-w- c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe

2009-09-04 05:16 . 2009-09-04 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee

2009-09-03 00:07 . 2009-09-03 00:08 45344 ----a-w- c:\windows\system32\drivers\kct9693.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-27 18:52 . 2008-04-13 21:05 -------- d-----w- c:\program files\McAfee

2009-09-27 12:59 . 2009-04-01 03:26 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-27 10:01 . 2008-04-13 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-04 23:24 . 2008-04-13 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-04 23:02 . 2008-04-13 21:06 -------- d-----w- c:\program files\SiteAdvisor

2009-09-04 18:19 . 2008-04-04 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-08-16 02:33 . 2009-08-16 02:33 -------- d-----w- c:\program files\CCleaner

2009-08-05 09:01 . 2002-08-29 10:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 20:31 . 2009-06-07 19:55 -------- d-----w- c:\program files\Paws and Claws Pet Resort

2009-07-31 09:14 . 2008-04-11 19:51 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-17 19:01 . 2002-08-29 10:40 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 19:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2008-5-16 36864]

Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2008-5-16 36864]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-09-04 20:16 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S0 kct9693;kct9693;\SystemRoot\\SystemRoot\System32\drivers\kct9693.sys --> \SystemRoot\\SystemRoot\System32\drivers\kct9693.sys [?]

S1 e6d5ecbc.sys;e6d5ecbc.sys;\??\c:\windows\System32\drivers\e6d5ecbc.sys --> c:\windows\System32\drivers\e6d5ecbc.sys [?]

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]

S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\9bf34a2c-4afe-4e0c-9494-e7354f30c413\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\9bf34a2c-4afe-4e0c-9494-e7354f30c413\fsbldrv.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\McDefragTask.job

- c:\windows\system32\defrag.exe [2002-08-29 00:12]

2009-09-04 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2009-09-04 20:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.earthlink.net/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gkl6i3rr.default\

FF - prefs.js: browser.startup.homepage - www.earthlink.net

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

AddRemove-Mount&Blade - c:\program files\Mount&Blade\uninstall.exe

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2008)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

.

**************************************************************************

.

Completion time: 2009-09-28 1:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 08:07

Pre-Run: 21,980,442,624 bytes free

Post-Run: 21,988,909,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

205 --- E O F --- 2009-09-27 10:02

[rgassist]

Contents from the HijackThis run. Please let me know if there is anything further that should still be run:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:19:38 AM, on 9/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\WINDOWS\explorer.exe

C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208112375233

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208111180751

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 7963 bytes

[screen317]

Hi,

Update MBAM, run a Quick Scan, and post its log.

Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

kct9693

e6d5ecbc.sys

File::

C:\Windows\System32\drivers\kct9693.sys

c:\windows\System32\drivers\e6d5ecbc.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[rgassist]

First step completed. Results below. Will download combofix and run the script next.

Malwarebytes' Anti-Malware 1.41

Database version: 2870

Windows 5.1.2600 Service Pack 3

9/28/2009 9:31:20 PM

mbam-log-2009-09-28 (21-31-20).txt

Scan type: Full Scan (C:\|)

Objects scanned: 142313

Time elapsed: 29 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[rgassist]

Combofix results:

ComboFix 09-09-28.01 - Administrator 09/28/2009 21:37.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.645 [GMT -7:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\System32\drivers\e6d5ecbc.sys"

"c:\windows\System32\drivers\kct9693.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\System32\drivers\kct9693.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_e6d5ecbc.sys

-------\Service_kct9693

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))

.

2009-09-29 03:57 . 2009-09-29 03:57 -------- d-----w- c:\windows\LastGood.Tmp

2009-09-28 08:17 . 2009-09-28 08:23 -------- d-----w- C:\HijackThis

2009-09-27 08:41 . 2009-09-27 08:44 -------- d-----w- c:\temp\Win32kDiag

2009-09-27 04:26 . 2009-09-27 04:26 -------- d-----w- c:\temp\combofix

2009-09-27 04:12 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-27 04:07 . 2009-09-27 04:07 -------- d-----w- c:\temp\easyclean

2009-09-27 04:07 . 2009-09-27 04:08 -------- d-----w- c:\temp\blacklight

2009-09-27 04:02 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-27 04:02 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-27 04:02 . 2009-09-29 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-27 03:45 . 2009-09-27 15:36 -------- d--h--w- c:\windows\PIF

2009-09-27 03:27 . 2009-09-27 03:41 -------- d-----w- c:\program files\MWB-Bad-RG

2009-09-27 03:14 . 2009-09-27 03:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-27 03:14 . 2009-09-27 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-27 03:13 . 2009-09-27 03:13 -------- d-----w- c:\temp\malwarebytes

2009-09-27 02:44 . 2009-09-28 07:03 -------- d-----w- c:\temp\wintemp

2009-09-26 23:20 . 2009-09-27 08:41 -------- d-----w- C:\temp

2009-09-04 23:00 . 2007-11-22 13:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-04 23:00 . 2007-12-02 19:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-04 23:00 . 2007-11-22 13:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-04 23:00 . 2007-11-22 13:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-04 23:00 . 2007-11-22 13:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-04 22:59 . 2007-07-13 13:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-09-04 22:58 . 2009-09-04 22:59 -------- d-----w- c:\program files\McAfee.com

2009-09-04 22:58 . 2009-09-07 21:45 -------- d-----w- c:\program files\Common Files\McAfee

2009-09-04 21:51 . 2009-09-04 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor

2009-09-04 20:21 . 2009-09-04 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2009-09-04 20:16 . 2009-09-04 20:16 -------- d-----w- c:\program files\Citrix

2009-09-04 20:15 . 2009-09-04 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Citrix

2009-09-04 20:15 . 2009-09-04 20:15 61224 ----a-w- c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe

2009-09-04 05:16 . 2009-09-04 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 03:58 . 2008-04-13 21:05 -------- d-----w- c:\program files\McAfee

2009-09-28 08:44 . 2008-04-13 20:59 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-27 12:59 . 2009-04-01 03:26 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-27 10:01 . 2008-04-13 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-04 23:24 . 2008-04-13 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-04 23:02 . 2008-04-13 21:06 -------- d-----w- c:\program files\SiteAdvisor

2009-09-04 18:19 . 2008-04-04 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-08-16 02:33 . 2009-08-16 02:33 -------- d-----w- c:\program files\CCleaner

2009-08-05 09:01 . 2002-08-29 10:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 20:31 . 2009-06-07 19:55 -------- d-----w- c:\program files\Paws and Claws Pet Resort

2009-07-31 09:14 . 2008-04-11 19:51 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-17 19:01 . 2002-08-29 10:40 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 19:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-28_08.04.35 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-29 04:43 . 2009-09-29 04:43 16384 c:\windows\Temp\Perflib_Perfdata_254.dat

+ 2008-04-04 02:04 . 2009-09-29 03:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-04-04 02:04 . 2009-09-28 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-09-28 08:37 . 2009-09-29 03:58 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-04-04 02:04 . 2009-09-28 05:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2001-08-23 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll

- 2001-08-23 12:00 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll

- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll

+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2008-5-16 36864]

Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2008-5-16 36864]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-09-04 20:16 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]

S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\9bf34a2c-4afe-4e0c-9494-e7354f30c413\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\9bf34a2c-4afe-4e0c-9494-e7354f30c413\fsbldrv.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\McDefragTask.job

- c:\windows\system32\defrag.exe [2002-08-29 00:12]

2009-09-04 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2009-09-04 20:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.earthlink.net/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gkl6i3rr.default\

FF - prefs.js: browser.startup.homepage - www.earthlink.net

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 21:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3424)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\searchindexer.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-29 21:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-29 04:47

ComboFix2.txt 2009-09-28 08:07

Pre-Run: 21,952,294,912 bytes free

Post-Run: 21,925,683,200 bytes free

196 --- E O F --- 2009-09-28 08:52

[rgassist]

Results from F-Secure Online Scan:

Scanning Report

Monday, September 28, 2009 22:01:07 - 22:45:16

Computer name: SATAY

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

3 malware found

TrackingCookie.Adtech (spyware)

* System (Disinfected)

Trojan.Peed.Gen (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0AAD160-3BD6-4E42-AEE6-EFED423D9B65}\RP278\A0070019.SYS (Renamed & Submitted)

Backdoor.Generic.95440 (virus)

* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\MOVEMEDIAPLAYER_07076007.EXE (Renamed & Submitted)

Statistics

Scanned:

* Files: 37766

* System: 2880

* Not scanned: 12

Actions:

* Disinfected: 1

* Renamed: 2

* Deleted: 0

* Not cleaned: 0

* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\TEMP\MCMSC_1MAK3R5FNMIBYXH

* C:\WINDOWS\SYSTEM32\DUMPREP.EXE

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\TEMP\BLACKLIGHT\FSBL.EXE

* C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

* C:\PROGRAM FILES\MWB-BAD-RG\MBAM.EXE

* C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCODS.EXE

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Copyright

[rgassist]

Security Check results:

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee SecurityCenter

McAfee Virtual Technician

Antivirus up to date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 11

Java 6 Update 2

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[rgassist]

Updated Adobe Reader and Java on her laptop. Second pass on Security Check results in:

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee SecurityCenter

McAfee Virtual Technician

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 16

Adobe Flash Player 10

Adobe Reader 9.1

``````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe

McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[rgassist]

If you're not seeing anything that indicates a further change or test, I'll hand the laptop back over to them this weekend.

Thanks for all the help. Would have been sunk without your assistance!

[screen317]

Hi,

My apologies for the delay.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Things are looking good.

Please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[rgassist]

Many thanks! It will be a bit before I'm back at my home, but I'll run through those first thing.

I'll pass the additional information along when it goes back to it's (anxious) owners.

Taking similar precautions on my system as well. Not using all of them and worth addressing as well.

[screen317]

Good to hear.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.