Jump to content

I Connect to Internet but something just not right.

MrBird308

By MrBird308
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrBird308

MrBird308

Posted
Posted

I have scanned the computer with Mbam it showed malware.sysguard it took care of that problem. i ran Spybot S&D and it found a few but now neither of them show anything but the computer is so Slow. I am posting the Logs here, also a HJT log. The IE8 seems to be the browser is the one that is infected. and unfortunatly that is the browser that the office needs.

Thanks for any help you can provide.

Malwarebytes' Anti-Malware 1.44

Database version: 3746

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/18/2010 2:26:17 PM

mbam-log-2010-02-18 (14-26-17).txt

Scan type: Quick Scan

Objects scanned: 139142

Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=======================================================

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:29:10 PM, on 2/18/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ESDUSBMon.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\DigitalPersona\Bin\DpHost.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iQmetrix\RQ4\RetailiQ.WPF\RetailiQ.Windows.WPF.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eroes.midwest.verizonwireless.com/eroes/eROES.jsp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1409082233-1275210071-1801674531-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')

O4 - HKUS\S-1-5-21-1409082233-1275210071-1801674531-1003\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')

O4 - HKUS\S-1-5-21-1409082233-1275210071-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} (pcval Control) - https://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx

O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192116479734

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{D57174ED-1FAD-427B-9DF9-0617A3F6FBAD}: NameServer = 10.148.242.1,205.171.3.65,205.171.2.65

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Biometric Authentication Service (DpHost) - Digital Persona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe

O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iQmetrix Installation Manager Service (IQ.Core.UpdateFoundation.WindowsService) - iQmetrix Software Development Corporation - C:\Program Files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--

End of file - 8172 bytes

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
MrBird308

MrBird308

Posted
  • Author
Posted

DDS (Ver_09-12-01.01) - NTFSx86

Run by Kristin at 8:46:31.43 on Fri 02/19/2010

Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = https://eroes.midwest.verizonwireless.com/eroes/eROES.jsp

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [ESDUSBMon.exe] c:\windows\system32\ESDUSBMon.exe

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab

DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} - hxxps://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx

DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} - hxxp://www.blackberry.com/devicesoftware/AxLoader.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192116479734

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {D57174ED-1FAD-427B-9DF9-0617A3F6FBAD} = 10.148.242.1,205.171.3.65,205.171.2.65

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kristin\applic~1\mozilla\firefox\profiles\ogyrlnfa.default\

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-02-18 22:28:51 0 d-----w- c:\program files\Trend Micro

2010-02-18 19:47:38 0 d-sha-r- C:\cmdcons

2010-02-18 19:46:31 98816 ----a-w- c:\windows\sed.exe

2010-02-18 19:46:31 77312 ----a-w- c:\windows\MBR.exe

2010-02-18 19:46:31 261632 ----a-w- c:\windows\PEV.exe

2010-02-18 19:46:31 161792 ----a-w- c:\windows\SWREG.exe

2010-02-17 22:12:14 0 d-sh--w- c:\documents and settings\kristin\PrivacIE

2010-02-17 16:20:33 0 d-sh--w- c:\documents and settings\kristin\IETldCache

2010-02-17 16:17:38 0 d-----w- c:\windows\ie8updates

2010-02-17 16:13:29 0 dc-h--w- c:\windows\ie8

2010-02-17 16:12:10 0 d--h--w- c:\windows\msdownld.tmp

2010-02-17 16:09:54 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-17 16:09:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-17 16:09:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-16 20:53:22 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-02-16 20:53:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-02-05 14:56:31 0 d-----w- c:\docume~1\kristin\applic~1\Malwarebytes

2010-02-05 14:56:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-05 14:56:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-05 14:56:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-05 14:56:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-04 16:20:08 0 d-----w- c:\program files\Full Tilt Poker

2010-02-03 17:54:09 0 d-----w- C:\.jagex_cache_32

2010-02-03 17:50:49 69 ----a-w- c:\documents and settings\kristin\jagex_runescape_preferences2.dat

2010-02-03 17:49:30 39 ----a-w- c:\documents and settings\kristin\jagex_runescape_preferences.dat

2010-02-03 17:49:15 0 d-----w- c:\windows\.jagex_cache_32

==================== Find3M ====================

2010-02-09 06:40:45 27648 ----a-w- c:\windows\system32\win32com.dll

2010-02-09 06:40:36 73728 ----a-w- c:\windows\system32\SigUsb.dll

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

2008-11-07 23:10:52 1600 -c--a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log

2004-12-21 23:34:04 25214 ----a-w- c:\program files\dplogo32.ico

2008-08-29 14:48:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 8:47:13.89 ===============

Attach.txt

Link to post
Share on other sites
MrBird308

MrBird308

Posted
  • Author
Posted

ComboFix 10-02-18.09 - Kristin 02/19/2010 9:23.2.2 - x86

Running from: c:\documents and settings\Kristin\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))

.

2010-02-18 22:28 . 2010-02-18 22:28 -------- d-----w- c:\program files\Trend Micro

2010-02-18 01:49 . 2010-02-18 01:49 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE

2010-02-17 22:12 . 2010-02-17 22:12 -------- d-sh--w- c:\documents and settings\Kristin\PrivacIE

2010-02-17 16:20 . 2010-02-17 16:20 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache

2010-02-17 16:20 . 2010-02-17 16:20 -------- d-sh--w- c:\documents and settings\Kristin\IETldCache

2010-02-17 16:18 . 2010-02-17 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-02-17 16:17 . 2010-02-18 09:01 -------- d-----w- c:\windows\ie8updates

2010-02-17 16:13 . 2010-02-17 16:15 -------- dc-h--w- c:\windows\ie8

2010-02-17 16:13 . 2010-02-17 16:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-02-17 16:12 . 2010-02-18 19:10 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\Google

2010-02-17 16:12 . 2010-02-17 16:18 -------- d--h--w- c:\windows\msdownld.tmp

2010-02-17 16:09 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-17 16:09 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-17 16:09 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-16 20:53 . 2010-02-18 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-16 20:53 . 2010-02-16 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-15 19:38 . 2010-02-18 20:05 5177840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\documents and settings\Kristin\Application Data\Malwarebytes

2010-02-05 14:56 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-05 14:56 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-04 16:23 . 2010-02-07 23:29 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\FullTiltPoker

2010-02-04 16:20 . 2010-02-18 19:10 -------- d-----w- c:\program files\Full Tilt Poker

2010-02-03 17:54 . 2010-02-03 17:54 -------- d-----w- C:\.jagex_cache_32

2010-02-03 17:50 . 2010-02-03 19:30 69 ----a-w- c:\documents and settings\Kristin\jagex_runescape_preferences2.dat

2010-02-03 17:49 . 2010-02-03 19:34 39 ----a-w- c:\documents and settings\Kristin\jagex_runescape_preferences.dat

2010-02-03 17:49 . 2010-02-03 17:49 -------- d-----w- c:\windows\.jagex_cache_32

2010-02-03 15:09 . 2010-02-03 15:09 0 ----a-w- c:\windows\nsreg.dat

2010-02-03 15:09 . 2010-02-03 15:09 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\Mozilla

2010-02-01 19:47 . 2010-02-18 16:39 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\xmctcp

2010-01-28 13:59 . 2010-01-28 13:59 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\iQmetrix Update

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-18 19:20 . 2006-12-18 16:05 -------- d-----w- c:\program files\Google

2010-02-16 16:43 . 2009-10-18 18:13 -------- d-----w- c:\program files\LogMeIn

2010-02-16 16:43 . 2009-11-29 19:22 -------- d-----w- c:\program files\PicPick

2010-02-10 09:02 . 2008-02-03 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 06:40 . 2009-10-19 23:20 27648 ----a-w- c:\windows\system32\win32com.dll

2010-02-09 06:40 . 2009-10-19 23:20 73728 ----a-w- c:\windows\system32\SigUsb.dll

2010-02-07 22:13 . 2008-07-21 21:50 256 ----a-w- c:\windows\system32\pool.bin

2010-02-03 19:34 . 2010-02-15 19:53 39 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences.dat

2010-02-03 19:30 . 2010-02-15 19:53 69 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences2.dat

2010-01-28 13:58 . 2009-10-23 12:59 -------- d-----w- c:\program files\iQmetrix

2010-01-14 23:42 . 2008-10-16 21:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-05 14:16 . 2009-10-23 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\iQmetrix Update - Live

2009-12-31 17:34 . 2009-12-31 17:34 -------- d-----w- c:\program files\BitPim

2009-12-31 17:29 . 2009-12-31 17:29 -------- d-----w- c:\program files\LG Electronics

2009-12-31 17:29 . 2006-03-31 20:27 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-31 17:28 . 2006-03-31 20:27 -------- d-----w- c:\program files\Common Files\InstallShield

2009-12-31 16:50 . 2004-08-04 12:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-25 23:05 . 2009-12-25 23:05 79488 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-22 19:57 . 2009-12-22 19:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio

2009-12-22 19:57 . 2009-12-22 19:57 -------- d-----w- c:\documents and settings\Kristin\Application Data\Roxio

2009-12-22 19:52 . 2009-12-22 19:52 -------- d-----w- c:\documents and settings\Kristin\Application Data\Research In Motion

2009-12-22 19:41 . 2006-03-31 20:31 88328 ----a-w- c:\documents and settings\Kristin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 19:29 . 2009-10-30 20:38 -------- d-----w- c:\documents and settings\Kristin\Application Data\InstallShield

2009-12-22 19:27 . 2008-10-16 21:25 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-12-22 19:26 . 2009-12-22 19:26 -------- d-----w- c:\program files\Roxio

2009-12-22 19:26 . 2009-12-22 19:26 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-12-22 19:21 . 2009-12-22 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2009-12-22 19:21 . 2009-12-22 19:19 -------- d-----w- c:\program files\Research In Motion

2009-12-22 19:19 . 2008-07-21 21:48 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 12:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2008-11-07 23:10 . 2008-08-04 21:08 1600 -c--a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log

2004-12-21 23:34 . 2004-12-21 23:34 25214 ----a-w- c:\program files\dplogo32.ico

.

((((((((((((((((((((((((((((( SnapShot@2010-02-18_19.53.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-18 23:02 . 2010-02-18 23:02 16384 c:\windows\Temp\Perflib_Perfdata_7e0.dat

+ 2004-08-04 12:00 . 2010-02-19 14:44 71904 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2010-02-18 19:44 71904 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-02-19 14:44 444028 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-02-18 19:44 444028 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-01 282624]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2004-08-03 188416]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5052:TCP"= 5052:TCP:MSC_GDI_WKS1

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"3246:TCP"= 3246:TCP:Services

"2479:TCP"= 2479:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

"2803:TCP"= 2803:TCP:Services

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\DRIVERS\cmo_bus.sys [2007-01-21 58352]

R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\DRIVERS\cmo_mdfl.sys [2007-01-21 8304]

R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\DRIVERS\cmo_mdm.sys [2007-01-21 93904]

R3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\cmo_serd.sys [2007-01-21 73696]

R3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:\windows\system32\DRIVERS\dpK00701.sys [2004-10-12 41856]

R3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:\windows\system32\DRIVERS\UsbdpFP.sys [2004-10-12 45056]

S2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe [x]

S2 IQ.Core.UpdateFoundation.WindowsService;iQmetrix Installation Manager Service;c:\program files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe [2010-01-08 6656]

.

.

------- Supplementary Scan -------

.

uStart Page = https://eroes.midwest.verizonwireless.com/eroes/eROES.jsp

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

TCP: {D57174ED-1FAD-427B-9DF9-0617A3F6FBAD} = 10.148.242.1,205.171.3.65,205.171.2.65

DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} - hxxps://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx

FF - ProfilePath - c:\documents and settings\Kristin\Application Data\Mozilla\Firefox\Profiles\ogyrlnfa.default\

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-19 09:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82AFBD60]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8679f28

\Driver\ACPI -> ACPI.sys @ 0xf850ccb8

\Driver\atapi -> 0x82afbd60

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x094FE9BD

malicious code @ sector 0x094FE9C0 !

PE file found in sector at 0x094FE9D6 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2768)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-02-19 09:34:40

ComboFix-quarantined-files.txt 2010-02-19 15:34

ComboFix2.txt 2010-02-18 19:57

Pre-Run: 67,607,998,464 bytes free

Post-Run: 67,561,725,952 bytes free

- - End Of File - - 5213DE945034E08140C597A6FD801DF2

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

There is evidence of infection here.

Navigate to Start --> Run, and type in this command:

cmd.exe

Press Enter and a black box will appear.

Type this command into the black box:

mbr.exe -f

(Note the space between the .exe and the -f)

Press Enter.

When it completes, run ComboFix again and post its log.

-screen317

Link to post
Share on other sites
MrBird308

MrBird308

Posted
  • Author
Posted

I ran the mrb fix and it said that the infection had been reolved and that the MRB was restored to original state. But i notice that this log says possible infections in the same files that the MRB Fix resolved.

ComboFix 10-02-22.07 - Kristin 02/23/2010 9:31.3.2 - x86

Running from: c:\documents and settings\Kristin\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))

.

2010-02-20 16:11 . 2010-02-20 16:11 -------- d-----w- c:\program files\CCleaner

2010-02-18 22:28 . 2010-02-18 22:28 -------- d-----w- c:\program files\Trend Micro

2010-02-18 01:49 . 2010-02-18 01:49 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE

2010-02-17 22:12 . 2010-02-17 22:12 -------- d-sh--w- c:\documents and settings\Kristin\PrivacIE

2010-02-17 16:20 . 2010-02-17 16:20 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache

2010-02-17 16:20 . 2010-02-17 16:20 -------- d-sh--w- c:\documents and settings\Kristin\IETldCache

2010-02-17 16:18 . 2010-02-17 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-02-17 16:17 . 2010-02-18 09:01 -------- d-----w- c:\windows\ie8updates

2010-02-17 16:13 . 2010-02-17 16:15 -------- dc-h--w- c:\windows\ie8

2010-02-17 16:13 . 2010-02-17 16:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-02-17 16:12 . 2010-02-18 19:10 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\Google

2010-02-17 16:12 . 2010-02-17 16:18 -------- d--h--w- c:\windows\msdownld.tmp

2010-02-17 16:09 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-17 16:09 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-17 16:09 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-16 20:53 . 2010-02-20 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-16 20:53 . 2010-02-16 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-15 19:38 . 2010-02-18 20:05 5177840 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\documents and settings\Kristin\Application Data\Malwarebytes

2010-02-05 14:56 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-05 14:56 . 2010-02-05 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-05 14:56 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-04 16:23 . 2010-02-07 23:29 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\FullTiltPoker

2010-02-04 16:20 . 2010-02-18 19:10 -------- d-----w- c:\program files\Full Tilt Poker

2010-02-03 17:54 . 2010-02-03 17:54 -------- d-----w- C:\.jagex_cache_32

2010-02-03 17:50 . 2010-02-03 19:30 69 ----a-w- c:\documents and settings\Kristin\jagex_runescape_preferences2.dat

2010-02-03 17:49 . 2010-02-03 19:34 39 ----a-w- c:\documents and settings\Kristin\jagex_runescape_preferences.dat

2010-02-03 17:49 . 2010-02-03 17:49 -------- d-----w- c:\windows\.jagex_cache_32

2010-02-03 15:09 . 2010-02-03 15:09 0 ----a-w- c:\windows\nsreg.dat

2010-02-03 15:09 . 2010-02-03 15:09 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\Mozilla

2010-02-01 19:47 . 2010-02-18 16:39 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\xmctcp

2010-01-28 13:59 . 2010-01-28 13:59 -------- d-----w- c:\documents and settings\Kristin\Local Settings\Application Data\iQmetrix Update

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 16:22 . 2006-03-31 20:31 88328 ----a-w- c:\documents and settings\Kristin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-18 19:20 . 2006-12-18 16:05 -------- d-----w- c:\program files\Google

2010-02-16 16:43 . 2009-10-18 18:13 -------- d-----w- c:\program files\LogMeIn

2010-02-16 16:43 . 2009-11-29 19:22 -------- d-----w- c:\program files\PicPick

2010-02-10 09:02 . 2008-02-03 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-02-09 06:40 . 2009-10-19 23:20 27648 ----a-w- c:\windows\system32\win32com.dll

2010-02-09 06:40 . 2009-10-19 23:20 73728 ----a-w- c:\windows\system32\SigUsb.dll

2010-02-07 22:13 . 2008-07-21 21:50 256 ----a-w- c:\windows\system32\pool.bin

2010-02-03 19:34 . 2010-02-15 19:53 39 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences.dat

2010-02-03 19:30 . 2010-02-15 19:53 69 ----a-w- c:\documents and settings\HelpAssistant\jagex_runescape_preferences2.dat

2010-01-28 13:58 . 2009-10-23 12:59 -------- d-----w- c:\program files\iQmetrix

2010-01-14 23:42 . 2008-10-16 21:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-05 14:16 . 2009-10-23 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\iQmetrix Update - Live

2009-12-31 17:34 . 2009-12-31 17:34 -------- d-----w- c:\program files\BitPim

2009-12-31 17:29 . 2009-12-31 17:29 -------- d-----w- c:\program files\LG Electronics

2009-12-31 17:29 . 2006-03-31 20:27 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-31 17:28 . 2006-03-31 20:27 -------- d-----w- c:\program files\Common Files\InstallShield

2009-12-31 16:50 . 2004-08-04 12:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-25 23:05 . 2009-12-25 23:05 79488 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-04 12:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2008-11-07 23:10 . 2008-08-04 21:08 1600 -c--a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log

2004-12-21 23:34 . 2004-12-21 23:34 25214 ----a-w- c:\program files\dplogo32.ico

.

((((((((((((((((((((((((((((( SnapShot@2010-02-18_19.53.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-22 20:52 . 2010-02-22 20:52 16384 c:\windows\Temp\Perflib_Perfdata_440.dat

+ 2004-08-04 12:00 . 2010-02-22 20:56 71904 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2010-02-18 19:44 71904 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-02-22 20:56 444028 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-02-18 19:44 444028 c:\windows\system32\perfh009.dat

+ 2006-03-31 14:08 . 2010-02-20 16:28 329888 c:\windows\system32\FNTCACHE.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-01 282624]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2004-08-03 188416]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5052:TCP"= 5052:TCP:MSC_GDI_WKS1

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"3246:TCP"= 3246:TCP:Services

"2479:TCP"= 2479:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

"2803:TCP"= 2803:TCP:Services

"2194:TCP"= 2194:TCP:Services

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\DRIVERS\cmo_bus.sys [2007-01-21 58352]

R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\DRIVERS\cmo_mdfl.sys [2007-01-21 8304]

R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\DRIVERS\cmo_mdm.sys [2007-01-21 93904]

R3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\cmo_serd.sys [2007-01-21 73696]

R3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:\windows\system32\DRIVERS\dpK00701.sys [2004-10-12 41856]

R3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:\windows\system32\DRIVERS\UsbdpFP.sys [2004-10-12 45056]

S2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe [x]

S2 IQ.Core.UpdateFoundation.WindowsService;iQmetrix Installation Manager Service;c:\program files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe [2010-01-08 6656]

.

.

------- Supplementary Scan -------

.

uStart Page = https://eroes.midwest.verizonwireless.com/eroes/eROES.jsp

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

TCP: {D57174ED-1FAD-427B-9DF9-0617A3F6FBAD} = 10.148.242.1,205.171.3.65,205.171.2.65

DPF: {3B3CC57A-6F3D-4596-A8D6-19E4A216AD0C} - hxxps://dsi2.datascape2.com:8443/AgentProfile/dspcval.ocx

FF - ProfilePath - c:\documents and settings\Kristin\Application Data\Mozilla\Firefox\Profiles\ogyrlnfa.default\

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-23 09:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x829C60D8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8679f28

\Driver\ACPI -> ACPI.sys @ 0xf850ccb8

\Driver\atapi -> 0x829c60d8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x094FE9BD

malicious code @ sector 0x094FE9C0 !

PE file found in sector at 0x094FE9D6 !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2080)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-02-23 09:41:48

ComboFix-quarantined-files.txt 2010-02-23 15:41

ComboFix2.txt 2010-02-19 15:34

ComboFix3.txt 2010-02-18 19:57

Pre-Run: 67,409,383,424 bytes free

Post-Run: 67,388,379,136 bytes free

- - End Of File - - EE5D57B27B403F93E3CB0575E203A9A2

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Let's attack this a different way.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

-screen317

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept