Jump to content

Recommended Posts

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6625

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

5/20/2011 9:12:37 AM

mbam-log-2011-05-20 (09-12-37).txt

Scan type: Quick scan

Objects scanned: 223364

Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

c:\programdata\33283832.exe (Trojan.Agent) -> 5748 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\steve.tavistock\AppData\Local\Temp\0.10935307754971157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\programdata\33283832.exe (Trojan.Agent) -> Quarantined and deleted successfully.

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23

Run by steve at 10:25:39 on 2011-05-20

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3536.2185 [GMT -4:00]

.

AV: Microsoft Forefront Client Security *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Forefront Client Security *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\spoolsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe

C:\Windows\system32\svchost.exe -k regsvc

C:\Program Files\SysAid\Ilias.exe

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe

c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Windows\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe

C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Program Files\Logitech\SetPoint\LBTWiz.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe

C:\Program Files\Novatel Wireless\MobiLink3\MobiLink3.exe

C:\TouchFreeze.exe

C:\Program Files\TrueCrypt\TrueCrypt.exe

C:\Program Files\Cisco Systems\Cisco Unified Personal Communicator\CUPCK9.EXE

C:\ProgramData\MEXFxpGUVShIHWB.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\System32\mobsync.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\werfault.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\WUDFHost.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

F:\dds.scr

C:\Windows\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uWindow Title = Windows Internet Explorer provided by Tavistock Financial Corp

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [MobiLink3] c:\program files\novatel wireless\mobilink3\MobiLink3.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [TouchFreeze] C:\TouchFreeze.exe

uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon

uRun: [Cisco Unified Personal Communicator] c:\progra~1\ciscos~1\ciscou~1\CUPCK9.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MEXFxpGUVShIHWB] c:\programdata\MEXFxpGUVShIHWB.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [<NO NAME>]

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [uSCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2

mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [bluetooth Connection Assistant] LBTWIZ.EXE -silent

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateReg] "c:\windows\system32\jureg.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

Trusted Zone: adp.com

Trusted Zone: adp.com\payexag

Trusted Zone: intuit.com

Trusted Zone: tavistock.com\ithelpdesk

Trusted Zone: tavistock.com\tvact

Trusted Zone: tavistock.com\vpn

Trusted Zone: tavistock.com\ithelpdesk

Trusted Zone: tavistock.com\tvact

Trusted Zone: tavistock.com\vpn

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} - hxxps://www.edu.adp.com/cabs/pictureloader.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nasadp.webex.com/client/T27LC/training/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} - hxxps://www.edu.adp.com/cabs/IGThreed40.cab

TCP: {86B1C358-73A6-419D-BCB2-C4184D7B7F18} = 209.183.35.23 209.183.33.23

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

LSA: Authentication Packages = msv1_0 wvauth

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\steve.tavistock\appdata\roaming\mozilla\firefox\profiles\5d1f9rai.default\

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

.

============= SERVICES / DRIVERS ===============

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]

R1 RapportCerberus_26169;RapportCerberus_26169;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus_26169.sys [2011-4-28 57144]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-6-26 812392]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-6-26 26984]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 382752]

R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2011-1-8 16896]

R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2009-10-22 69512]

R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]

R2 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-10-30 82432]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-2-7 2058776]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-2-11 603896]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-2-7 29472]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-2-7 143968]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-2-7 33832]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2010-2-7 221912]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-2-7 122368]

R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-7-18 71296]

R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-2-7 6114816]

R3 qcfilterdl2k;Gobi 2000 USB Composite Device Filter Driver(413C-8186);c:\windows\system32\drivers\qcfilterdl2k.sys [2009-10-9 5248]

R3 qcusbnetdl2k;Gobi 2000 USB-NDIS miniport(413C-8186);c:\windows\system32\drivers\qcusbnetdl2k.sys [2009-10-9 201728]

R3 qcusbserdl2k;Gobi 2000 USB Device for Legacy Serial Communication(413C-8186);c:\windows\system32\drivers\qcusbserdl2k.sys [2009-10-9 106368]

R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2011-4-28 18872]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-11 136176]

S2 QDLService2kDell;Qualcomm Gobi 2000 Download Service (Dell);c:\program files\qualcomm\qdlservice2k\QDLService2kDell.exe [2009-10-9 329976]

S3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2009-7-14 7680]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-2-7 134144]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-11 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-2-7 47104]

S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-2-7 49152]

S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-2-7 38400]

.

=============== Created Last 30 ================

.

2011-05-20 14:12:00 388096 ---ha-r- c:\users\steve.tavistock\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-05-20 14:11:59 -------- d-----w- c:\program files\Trend Micro

2011-05-20 14:04:23 344576 ---ha-w- c:\programdata\29810424.exe

2011-05-20 13:48:48 -------- d-----w- c:\program files\CCleaner

2011-05-20 13:12:51 54016 ----a-w- c:\windows\system32\drivers\yqpqqo.sys

2011-05-20 12:58:54 -------- d--h--w- c:\users\steve.tavistock\appdata\roaming\Malwarebytes

2011-05-20 12:35:38 422400 ---ha-w- c:\programdata\MEXFxpGUVShIHWB.exe

2011-05-20 12:17:13 6962000 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{a0ba3a5a-c1fb-4fb0-b2fa-b316ca018458}\mpengine.dll

2011-05-19 12:30:01 -------- d--h--w- c:\users\steve.tavistock\appdata\local\Trusteer

2011-05-19 12:28:26 -------- d--h--w- c:\users\steve.tavistock\appdata\roaming\Trusteer

2011-05-19 12:28:14 -------- d-----w- c:\program files\Trusteer

2011-05-19 12:26:40 -------- d--h--w- c:\programdata\Trusteer

2011-05-13 12:24:04 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-05-12 12:23:48 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-12 12:23:47 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-04-28 18:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-04-25 15:40:48 737072 ---ha-w- c:\programdata\microsoft\ehome\packages\sportsv2\sportstemplatecore\Microsoft.MediaCenter.Sports.UI.dll

2011-04-25 15:40:32 4283672 ---ha-w- c:\programdata\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll

2011-04-25 15:40:03 539968 ---ha-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight-2\SpotlightResources.dll

.

==================== Find3M ====================

.

2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys

2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys

2011-02-26 05:33:07 2614784 ----a-w- c:\windows\explorer.exe

2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll

2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec

2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-02-23 05:06:11 311296 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-23 05:05:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-02-23 05:05:48 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-02-23 05:05:41 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-02-23 05:05:35 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-02-23 05:05:31 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-23 05:05:25 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: SAMSUNG_ rev.VBM2 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: >>UNKNOWN [0x82E3B000]<< >>UNKNOWN [0x8CDC9000]<< >>UNKNOWN [0x8CDB8000]<< >>UNKNOWN [0x8C833000]<< >>UNKNOWN [0x82E04000]<<

_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x82E77428] -> \Device\Harddisk0\DR0[0x869FF358]

\Driver\Disk[0x869FE920] -> IRP_MJ_CREATE -> 0x8CDCD39F

3 [0x8CDCD59E] -> ntkrnlpa!IofCallDriver[0x82E77428] -> \Device\Ide\IAAStorageDevice-1[0x85BF9028]

\Driver\iaStor[0x85FD4818] -> IRP_MJ_CREATE -> 0x8C877954

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 10:25:57.38 ===============

attach.zip

Link to post
Share on other sites

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

2011/05/20 11:00:33.0188 5828 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/20 11:00:33.0219 5828 ================================================================================

2011/05/20 11:00:33.0219 5828 SystemInfo:

2011/05/20 11:00:33.0219 5828

2011/05/20 11:00:33.0219 5828 OS Version: 6.1.7600 ServicePack: 0.0

2011/05/20 11:00:33.0219 5828 Product type: Workstation

2011/05/20 11:00:33.0219 5828 ComputerName: SSTRAYHORN_L

2011/05/20 11:00:33.0219 5828 UserName: Steve

2011/05/20 11:00:33.0219 5828 Windows directory: C:\Windows

2011/05/20 11:00:33.0219 5828 System windows directory: C:\Windows

2011/05/20 11:00:33.0219 5828 Processor architecture: Intel x86

2011/05/20 11:00:33.0219 5828 Number of processors: 2

2011/05/20 11:00:33.0219 5828 Page size: 0x1000

2011/05/20 11:00:33.0219 5828 Boot type: Normal boot

2011/05/20 11:00:33.0219 5828 ================================================================================

2011/05/20 11:00:33.0624 5828 Initialize success

2011/05/20 11:00:45.0246 0988 ================================================================================

2011/05/20 11:00:45.0246 0988 Scan started

2011/05/20 11:00:45.0246 0988 Mode: Manual;

2011/05/20 11:00:45.0246 0988 ================================================================================

2011/05/20 11:01:05.0292 0988 ================================================================================

2011/05/20 11:01:05.0292 0988 Scan finished

2011/05/20 11:01:05.0292 0988 ================================================================================

Still continuing to receive the same errors and issues. I've also attached a picture of the errors that we are receiving. I wasn't able to perform a screenshot or access the Windows 7 snipping tool. When you view Programs through the start menu, all Windows native apps are gone, including the accessories folder. This is only happening on one of the user profiles.

post-81398-0-53613000-1305904263.jpg

Link to post
Share on other sites

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-20 11:24:51

-----------------------------

11:24:51.319 OS Version: Windows 6.1.7600

11:24:51.319 Number of processors: 2 586 0x170A

11:24:51.319 ComputerName: SSTRAYHORN_L UserName: Steve

11:24:52.178 Initialize success

11:24:56.725 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

11:24:56.725 Disk 0 Vendor: SAMSUNG_ VBM2 Size: 122104MB BusType: 8

11:24:56.725 Disk 0 MBR read successfully

11:24:56.725 Disk 0 MBR scan

11:24:56.725 Disk 0 unknown MBR code

11:24:56.741 Disk 0 scanning sectors +250067632

11:24:56.741 Disk 0 scanning C:\Windows\system32\drivers

11:24:56.741 Service scanning

11:24:57.553 Disk 0 trace - called modules:

11:24:57.553 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll dxgkrnl.sys igdkmd32.sys dxgmms1.sys

11:24:57.553 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869ff810]

11:24:57.553 3 CLASSPNP.SYS[8cd9c59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85bf6028]

11:24:57.569 Scan finished successfully

11:25:22.491 Disk 0 MBR has been saved successfully to "C:\MBR.dat"

11:25:22.491 The log file has been saved successfully to "C:\aswMBR.txt"

Link to post
Share on other sites

You have 3 files that I can't find any info on.

Vista / Windows7 Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\programdata\29810424.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Do the same for:

c:\windows\system32\drivers\yqpqqo.sys

c:\programdata\MEXFxpGUVShIHWB.exe

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

File name: 29810424

Submission date: 2011-05-20 15:28:45 (UTC)

Current status: queued queued analysing finished

Result: 3/ 41 (7.3%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.05.20.01 2011.05.20 -

AntiVir 7.11.8.81 2011.05.20 -

Antiy-AVL 2.0.3.7 2011.05.20 -

Avast 4.8.1351.0 2011.05.20 -

Avast5 5.0.677.0 2011.05.20 -

AVG 10.0.0.1190 2011.05.20 -

BitDefender 7.2 2011.05.20 -

CAT-QuickHeal 11.00 2011.05.20 -

ClamAV 0.97.0.0 2011.05.20 -

Comodo 8769 2011.05.20 -

DrWeb 5.0.2.03300 2011.05.20 -

Emsisoft 5.1.0.5 2011.05.20 -

eSafe 7.0.17.0 2011.05.19 -

eTrust-Vet 36.1.8338 2011.05.20 -

F-Prot 4.6.2.117 2011.05.20 -

F-Secure 9.0.16440.0 2011.05.20 -

Fortinet 4.2.257.0 2011.05.20 -

GData 22 2011.05.20 -

Ikarus T3.1.1.104.0 2011.05.20 -

Jiangmin 13.0.900 2011.05.20 -

K7AntiVirus 9.103.4693 2011.05.20 -

Kaspersky 9.0.0.837 2011.05.20 -

McAfee 5.400.0.1158 2011.05.20 FakeAlert!grb

McAfee-GW-Edition 2010.1D 2011.05.20 FakeAlert!grb

Microsoft 1.6903 2011.05.20 -

NOD32 6138 2011.05.20 -

Norman 6.07.07 2011.05.20 -

nProtect 2011-05-20.01 2011.05.20 -

Panda 10.0.3.5 2011.05.20 -

PCTools 7.0.3.5 2011.05.19 -

Rising 23.58.04.03 2011.05.20 -

Sophos 4.65.0 2011.05.20 Mal/FakeAvCn-A

SUPERAntiSpyware 4.40.0.1006 2011.05.20 -

Symantec 20111.1.0.186 2011.05.20 -

TheHacker 6.7.0.1.202 2011.05.20 -

TrendMicro 9.200.0.1012 2011.05.20 -

TrendMicro-HouseCall 9.200.0.1012 2011.05.20 -

VBA32 3.12.16.0 2011.05.19 -

VIPRE 9335 2011.05.20 -

ViRobot 2011.5.20.4470 2011.05.20 -

VirusBuster 13.6.365.0 2011.05.20 -

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 3 reputation credit(s) say(s) this sample is malware.

File name: MEXFxpGUVShIHWB.exe

Submission date: 2011-05-20 15:45:00 (UTC)

Current status: queued (#36) queued (#37) analysing finished

Result: 3/ 43 (7.0%)

VT Community

malware

Safety score: 0.0%

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.05.20.01 2011.05.20 -

AntiVir 7.11.8.81 2011.05.20 -

Antiy-AVL 2.0.3.7 2011.05.20 -

Avast 4.8.1351.0 2011.05.20 -

Avast5 5.0.677.0 2011.05.20 -

AVG 10.0.0.1190 2011.05.20 -

BitDefender 7.2 2011.05.20 -

CAT-QuickHeal 11.00 2011.05.20 -

ClamAV 0.97.0.0 2011.05.20 -

Commtouch 5.3.2.6 2011.05.20 -

Comodo 8769 2011.05.20 -

DrWeb 5.0.2.03300 2011.05.20 -

Emsisoft 5.1.0.5 2011.05.20 -

eSafe 7.0.17.0 2011.05.19 -

eTrust-Vet 36.1.8338 2011.05.20 -

F-Prot 4.6.2.117 2011.05.20 -

F-Secure 9.0.16440.0 2011.05.20 -

Fortinet 4.2.257.0 2011.05.20 -

GData 22 2011.05.20 -

Ikarus T3.1.1.104.0 2011.05.20 -

Jiangmin 13.0.900 2011.05.20 -

K7AntiVirus 9.103.4693 2011.05.20 -

Kaspersky 9.0.0.837 2011.05.20 -

McAfee 5.400.0.1158 2011.05.20 -

McAfee-GW-Edition 2010.1D 2011.05.20 -

Microsoft 1.6903 2011.05.20 -

NOD32 6138 2011.05.20 -

Norman 6.07.07 2011.05.20 -

nProtect 2011-05-20.01 2011.05.20 -

Panda 10.0.3.5 2011.05.20 Suspicious file

PCTools 7.0.3.5 2011.05.19 -

Prevx 3.0 2011.05.20 Medium Risk Malware

Rising 23.58.04.03 2011.05.20 -

Sophos 4.65.0 2011.05.20 -

SUPERAntiSpyware 4.40.0.1006 2011.05.20 -

Symantec 20111.1.0.186 2011.05.20 Trojan.FakeAV

TheHacker 6.7.0.1.202 2011.05.20 -

TrendMicro 9.200.0.1012 2011.05.20 -

TrendMicro-HouseCall 9.200.0.1012 2011.05.20 -

VBA32 3.12.16.0 2011.05.19 -

VIPRE 9335 2011.05.20 -

ViRobot 2011.5.20.4470 2011.05.20 -

VirusBuster 13.6.365.0 2011.05.20 -

AhnLab-V3 2011.05.20.00 2011.05.19 -

AntiVir 7.11.8.73 2011.05.19 -

Antiy-AVL 2.0.3.7 2011.05.19 -

Avast 4.8.1351.0 2011.05.19 -

Avast5 5.0.677.0 2011.05.19 -

AVG 10.0.0.1190 2011.05.19 -

BitDefender 7.2 2011.05.19 -

CAT-QuickHeal 11.00 2011.05.19 -

ClamAV 0.97.0.0 2011.05.19 BC.Heuristics.Rootkit.B-11.MV

Comodo 8762 2011.05.19 -

DrWeb 5.0.2.03300 2011.05.19 -

eSafe 7.0.17.0 2011.05.19 Win32.TrojanHorse

eTrust-Vet 36.1.8337 2011.05.19 -

F-Prot 4.6.2.117 2011.05.18 -

F-Secure 9.0.16440.0 2011.05.19 -

Fortinet 4.2.257.0 2011.05.19 -

GData 22 2011.05.19 -

Ikarus T3.1.1.104.0 2011.05.19 -

Jiangmin 13.0.900 2011.05.19 -

K7AntiVirus 9.103.4684 2011.05.19 -

Kaspersky 9.0.0.837 2011.05.19 -

McAfee 5.400.0.1158 2011.05.19 -

McAfee-GW-Edition 2010.1D 2011.05.19 -

Microsoft 1.6903 2011.05.19 -

NOD32 6136 2011.05.19 -

Norman 6.07.07 2011.05.19 -

nProtect 2011-05-19.01 2011.05.19 -

Panda 10.0.3.5 2011.05.19 -

PCTools 7.0.3.5 2011.05.19 -

Prevx 3.0 2011.05.19 -

Rising 23.58.03.03 2011.05.19 -

Sophos 4.65.0 2011.05.19 -

SUPERAntiSpyware 4.40.0.1006 2011.05.19 -

Symantec 20111.1.0.186 2011.05.19 -

TheHacker 6.7.0.1.201 2011.05.19 -

TrendMicro 9.200.0.1012 2011.05.19 -

TrendMicro-HouseCall 9.200.0.1012 2011.05.19 -

VBA32 3.12.16.0 2011.05.19 -

VIPRE 9328 2011.05.19 -

ViRobot 2011.5.19.4468 2011.05.19 -

VirusBuster 13.6.363.1 2011.05.19 -

Link to post
Share on other sites

I really think all 3 are bad but not sure at this point.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.