Jump to content

can I ask for help pleae? rootkit.win32.zaccess.f

jimcarmichael
 Share

Recommended Posts

jimcarmichael

jimcarmichael

Posted
Posted

Ello,

Could I ask the experts for a hand please?

My neighbour (with v.little computer knowledge) has asked me to help with his computer problem.

Its an old second hand XP machine from Packard.

When I turned it on I got a boot menu: xp home or win serv 2003 options. Both boot to the windows login screen where there is one user profile 'owner' (it is an admin account). Loging in to windows brings up the background pic and nothing else.

Task manager can be loaded and the processes are full of crap - all sorts of adware, reg fixes, optimisers etc. He has no anti-malware I can see. There is also one non-quitable process called 1670329770:1439330460.exe using 460K memory.

I can only run things from the taskmanager file - newtask menu, as there are no icons/start bar etc.

What I have tried and achieved so far:

iexplorer loads internet explorer which constantly redirects to malware sites.

appwiz.clp brings up the add programs window and I've uninstalled everything that is non standard.

via a usb I've installed malwarebytes - this updated and the shut down about 2 mins into a scan. It will not restart. running vie taskmanager file - new task brings an error message: Windows cannot access, may not have appropriate permissions.

Unhide appears to run, but there is no affect.

DeFogger runs fine:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 20:13 on 24/08/2011 (Owner)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS will not run.

GMER scan started to run and quit after a few mins.

ESET ran once:

C:\Documents and Settings\Owner\Application Data\Uniblue\RegistryBooster\_temp\registrybooster.exe Win32/RegistryBooster application deleted - quarantined

C:\Documents and Settings\Owner\Application Data\Uniblue\RegistryBooster\_temp\ub.exe Win32/RegistryBooster application deleted - quarantined

C:\Documents and Settings\Owner\Application Data\Uniblue\SpeedUpMyPC\_temp\sump.exe Win32/SpeedUpMyPC application deleted - quarantined

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LEFG352\index-functions[1].js Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TY4F5741\dogsex_010.avi[1].exe Win32/Agent.SZI trojan cleaned by deleting - quarantined

C:\Documents and Settings\Owner\My Documents\animal-sex-video.avi.exe Win32/Agent.SZI trojan cleaned by deleting - quarantined

C:\Program Files\Microsoft\BingBar\SeaPort.EXE Win32/Patched.HN trojan cleaned - quarantined

C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application cleaned by deleting - quarantined

C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe Win32/SpeedUpMyPC application cleaned by deleting - quarantined

C:\Program Files\Uniblue\SpeedUpMyPC\spmonitor.exe Win32/SpeedUpMyPC application cleaned by deleting - quarantined

C:\Program Files\Uniblue\SpeedUpMyPC\spnotifier.exe Win32/SpeedUpMyPC application cleaned by deleting - quarantined

C:\Program Files\Uniblue\SpeedUpMyPC\sp_move_serial.exe Win32/SpeedUpMyPC application cleaned by deleting - quarantined

C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe Win32/SpeedUpMyPC application cleaned by deleting - quarantined

After a restart nothing changed and would not run again: error message: unspecified error 101.

rKill (all four file types) gave windows error: Windows cannot access, may not have appropriate permissions.

TDSSKILLer runs everytime, but on restart nothing changes:

2011/08/24 18:56:28.0359 1124 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57

2011/08/24 18:56:29.0015 1124 ================================================================================

2011/08/24 18:56:29.0015 1124 SystemInfo:

2011/08/24 18:56:29.0015 1124

2011/08/24 18:56:29.0015 1124 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/24 18:56:29.0015 1124 Product type: Workstation

2011/08/24 18:56:29.0015 1124 ComputerName: FELIXWIGHTMAN

2011/08/24 18:56:29.0015 1124 UserName: Owner

2011/08/24 18:56:29.0015 1124 Windows directory: C:\WINDOWS

2011/08/24 18:56:29.0015 1124 System windows directory: C:\WINDOWS

2011/08/24 18:56:29.0015 1124 Processor architecture: Intel x86

2011/08/24 18:56:29.0015 1124 Number of processors: 1

2011/08/24 18:56:29.0015 1124 Page size: 0x1000

2011/08/24 18:56:29.0015 1124 Boot type: Normal boot

2011/08/24 18:56:29.0015 1124 ================================================================================

2011/08/24 18:56:30.0328 1124 Initialize success

2011/08/24 18:56:33.0140 1192 ================================================================================

2011/08/24 18:56:33.0140 1192 Scan started

2011/08/24 18:56:33.0140 1192 Mode: Manual;

2011/08/24 18:56:33.0140 1192 ================================================================================

2011/08/24 18:56:34.0203 1192 aa358f63 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\1670329770:1439330460.exe

2011/08/24 18:56:36.0265 1192 Suspicious file (Hidden): C:\WINDOWS\1670329770:1439330460.exe. md5: 8f2bb1827cac01aee6a16e30a1260199

2011/08/24 18:56:36.0281 1192 aa358f63 - detected HiddenFile.Multi.Generic (1)

2011/08/24 18:56:36.0484 1192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/24 18:56:36.0578 1192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/24 18:56:36.0703 1192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/24 18:56:36.0796 1192 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/24 18:56:36.0796 1192 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/24 18:56:36.0812 1192 AFD - detected Rootkit.Win32.ZAccess.c (0)

2011/08/24 18:56:37.0312 1192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/24 18:56:37.0375 1192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/24 18:56:37.0531 1192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/24 18:56:37.0625 1192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/24 18:56:37.0734 1192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/24 18:56:37.0812 1192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/24 18:56:37.0890 1192 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/08/24 18:56:38.0031 1192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/24 18:56:38.0125 1192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/24 18:56:38.0171 1192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/24 18:56:38.0593 1192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/24 18:56:38.0671 1192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/24 18:56:38.0765 1192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/24 18:56:38.0843 1192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/24 18:56:38.0937 1192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/24 18:56:39.0109 1192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/24 18:56:39.0218 1192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/24 18:56:39.0281 1192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/08/24 18:56:39.0343 1192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/24 18:56:39.0390 1192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/08/24 18:56:39.0484 1192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/24 18:56:39.0578 1192 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/08/24 18:56:39.0671 1192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/24 18:56:39.0718 1192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/24 18:56:39.0796 1192 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2011/08/24 18:56:39.0890 1192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/24 18:56:39.0984 1192 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/08/24 18:56:40.0156 1192 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/24 18:56:40.0343 1192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/24 18:56:40.0390 1192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/24 18:56:40.0562 1192 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/08/24 18:56:40.0625 1192 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/24 18:56:40.0718 1192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/24 18:56:40.0796 1192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/24 18:56:40.0890 1192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/24 18:56:40.0937 1192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/24 18:56:41.0000 1192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/24 18:56:41.0140 1192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/24 18:56:41.0203 1192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/24 18:56:41.0265 1192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/24 18:56:41.0343 1192 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/24 18:56:41.0515 1192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/24 18:56:41.0609 1192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/24 18:56:41.0671 1192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/24 18:56:41.0750 1192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/08/24 18:56:41.0875 1192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/24 18:56:41.0968 1192 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

2011/08/24 18:56:42.0109 1192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/24 18:56:42.0203 1192 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/24 18:56:42.0343 1192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/24 18:56:42.0406 1192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/24 18:56:42.0515 1192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/24 18:56:42.0578 1192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/24 18:56:42.0656 1192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/24 18:56:42.0734 1192 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/08/24 18:56:42.0828 1192 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/24 18:56:43.0046 1192 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/08/24 18:56:43.0312 1192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/24 18:56:43.0390 1192 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/08/24 18:56:43.0468 1192 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/24 18:56:43.0562 1192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/24 18:56:43.0609 1192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/24 18:56:43.0687 1192 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/24 18:56:43.0765 1192 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/24 18:56:43.0828 1192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/24 18:56:43.0953 1192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/24 18:56:44.0031 1192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/24 18:56:44.0140 1192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/24 18:56:44.0203 1192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/24 18:56:44.0265 1192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/24 18:56:44.0375 1192 PAEAFLT.sys (301e92ce7fb606f94f124a76d8145622) C:\WINDOWS\system32\DRIVERS\PAEAFLT.sys

2011/08/24 18:56:44.0468 1192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/24 18:56:44.0546 1192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/24 18:56:44.0640 1192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/24 18:56:44.0718 1192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/24 18:56:44.0828 1192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/08/24 18:56:44.0953 1192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/24 18:56:45.0359 1192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/24 18:56:45.0421 1192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/24 18:56:45.0484 1192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/24 18:56:45.0796 1192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/24 18:56:45.0875 1192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/24 18:56:45.0953 1192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/24 18:56:46.0046 1192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/24 18:56:46.0156 1192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/24 18:56:46.0250 1192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/24 18:56:46.0359 1192 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/24 18:56:46.0468 1192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/24 18:56:46.0609 1192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/24 18:56:46.0718 1192 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/24 18:56:46.0781 1192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/24 18:56:46.0906 1192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/24 18:56:47.0031 1192 SiS315 (8365751f9407ea612ea1e022292ffc9c) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2011/08/24 18:56:47.0109 1192 SiS7012 (3fb1dbd8a787bb5afd8d4ec3c5701608) C:\WINDOWS\system32\drivers\sis7012.sys

2011/08/24 18:56:47.0187 1192 SiSkp (5de3c5e923eaa435ab4b48ea87c99f71) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2011/08/24 18:56:47.0265 1192 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys

2011/08/24 18:56:47.0343 1192 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/08/24 18:56:47.0515 1192 SPC230NC (2265d43d44cf9695c050e3b58f05295b) C:\WINDOWS\system32\DRIVERS\SPC230NC.SYS

2011/08/24 18:56:47.0609 1192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/24 18:56:47.0671 1192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/24 18:56:47.0781 1192 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/24 18:56:47.0890 1192 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/08/24 18:56:47.0984 1192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/24 18:56:48.0031 1192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/24 18:56:48.0312 1192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/24 18:56:48.0500 1192 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/24 18:56:48.0578 1192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/24 18:56:48.0656 1192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/24 18:56:48.0718 1192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/24 18:56:48.0890 1192 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2011/08/24 18:56:48.0968 1192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/24 18:56:49.0125 1192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/24 18:56:49.0234 1192 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/08/24 18:56:49.0312 1192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/08/24 18:56:49.0406 1192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/08/24 18:56:49.0484 1192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/24 18:56:49.0578 1192 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/08/24 18:56:49.0656 1192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/08/24 18:56:49.0734 1192 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/08/24 18:56:49.0843 1192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/24 18:56:49.0937 1192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/24 18:56:50.0062 1192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/24 18:56:50.0156 1192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/24 18:56:50.0250 1192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/24 18:56:50.0468 1192 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/08/24 18:56:50.0562 1192 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/08/24 18:56:50.0640 1192 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/08/24 18:56:50.0718 1192 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/08/24 18:56:50.0921 1192 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR3

2011/08/24 18:56:50.0968 1192 Boot (0x1200) (3e4c067ae3609da1668cc5b8ef6d8085) \Device\Harddisk0\DR0\Partition0

2011/08/24 18:56:51.0015 1192 Boot (0x1200) (8256243b23c66a290859cae5d5249c03) \Device\Harddisk0\DR0\Partition1

2011/08/24 18:56:51.0031 1192 Boot (0x1200) (5a64bbdd13caeb8ed4ad87fa669e5d91) \Device\Harddisk1\DR3\Partition0

2011/08/24 18:56:51.0046 1192 ================================================================================

2011/08/24 18:56:51.0046 1192 Scan finished

2011/08/24 18:56:51.0046 1192 ================================================================================

2011/08/24 18:56:51.0078 1640 Detected object count: 2

2011/08/24 18:56:51.0078 1640 Actual detected object count: 2

2011/08/24 18:58:38.0515 1640 HKLM\SYSTEM\ControlSet001\services\aa358f63 - will be deleted after reboot

2011/08/24 18:58:38.0515 1640 HKLM\SYSTEM\ControlSet003\services\aa358f63 - will be deleted after reboot

2011/08/24 18:58:38.0515 1640 C:\WINDOWS\1670329770:1439330460.exe - will be deleted after reboot

2011/08/24 18:58:38.0515 1640 HiddenFile.Multi.Generic(aa358f63) - User select action: Delete

2011/08/24 18:58:38.0625 1640 AFD (adaade4335def381a0fe77970d42d425) C:\WINDOWS\System32\drivers\afd.sys

2011/08/24 18:58:38.0625 1640 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: adaade4335def381a0fe77970d42d425, Fake md5: 355556d9e580915118cd7ef736653a89

2011/08/24 18:58:39.0375 1640 Backup copy found, using it..

2011/08/24 18:58:39.0390 1640 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot

2011/08/24 18:58:39.0390 1640 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure

.

.

.

So, I'd be grateful for advice. Clearly there is a badass virus infection and the computer has been appallingly maintained/protected. I shall clearly explain to my neighbour how to protect his PC should I get it fixed.

I'd normally suggest format-reinstall windows, but my neighbour has no XP disk and certainly couldn't afford one.

AND besides - I like a challenge... MUST FIX THIS!

Sry - one thing I forgot to mention - the HDD is partitioned - c: contains the usual win install etc, d: contains what looks like a windows installer volume or restore point and a few directories with driver files in.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

We look for post with 0 replies, so when you replied to your own topic, we assumed you were being helped.

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

Many thanks for your help!

Currently my neighbours computer (XP home) starts with no icons/no start bar. I can only run some things from taskmanager_ file_run menu. Explorer doesn't work and I've only been able to run some things listed in the FAQ (see above). Running internet explorer leads to redirects to malware sites etc.

I will follow your advice for the ATF scan. The combofix I can download on my PC on to a usbstick, but can see how I'd copy it to the desktop on the sick PC as explorer wont run! It looks like running form USB is not possible?

Meanwhile I shall run the ATDF scan. If this lets me access explorer I'll go for the combofix.

Many thanks! Service on Saturday is beyond the call of duty!

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

ok - here is combofix file

There was a minor problem - as I have to run processes through taskmanager run command, I could not find a way to get into folder options to reveal hidden folders as you said as the first item of your reply. Is there a way around this problem?

Thanks for your help.

ComboFix 11-08-27.01 - Owner 28/08/2011 20:19:24.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.272 [GMT 1:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Owner\Application Data\alot

c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml

c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml

c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml

c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_10\Button_10.xml

c:\documents and settings\Owner\Application Data\alot\Button_10\Button_10.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_11\Button_11.xml

c:\documents and settings\Owner\Application Data\alot\Button_11\Button_11.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_12\Button_12.xml

c:\documents and settings\Owner\Application Data\alot\Button_12\Button_12.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml

c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml

c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml

c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml

c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml

c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml

c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml

c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml.backup

c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml

c:\documents and settings\Owner\Application Data\alot\Button_9\Button_9.xml.backup

c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml

c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml.backup

c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml

c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml.backup

c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml

c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup

c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml

c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup

c:\documents and settings\Owner\Application Data\alot\products\products.xml

c:\documents and settings\Owner\Application Data\alot\products\products.xml.backup

c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html

c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_image_search.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_news_search.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_shop_search.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_videos_search.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_web_search.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_10\images\4680_icon.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_11\images\cloudy.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_11\images\default_1007_alot_weather_widget.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_11\images\default_1007_alot_weather_widget.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_11\images\mcloud.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_12\images\default_2254_email.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_12\images\default_2254_email.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_12\images\icon_configure.JPG

c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\alot_configure.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\alot_configure.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\4678_icon.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_2304_default_1379_alot_cas_playgames.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_2304_default_1379_alot_cas_playgames.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2303_default_1379_alot_cas_playgames.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2303_default_1379_alot_cas_playgames.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_2305_default_1613_alot_online_games_tetriz.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_2305_default_1613_alot_online_games_tetriz.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_2306_default_2080_frogger_button.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_2306_default_2080_frogger_button.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_8\images\3562_icon.png

c:\documents and settings\Owner\Application Data\alot\Resources\Button_9\images\4675_icon.png

c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.png

c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\domains.dat

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_brand.png

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_splitter.png

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\discover.png

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\intro_popup.png

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\spinner.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnconfig0.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnconfig1.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnrefresh0.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnrefresh1.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp

c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp

c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml

c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml.backup

c:\documents and settings\Owner\Application Data\alot\toolbar.xml

c:\documents and settings\Owner\Application Data\alot\toolbar.xml.backup

c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml

c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup

c:\documents and settings\Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml

c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml

c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml.backup

c:\documents and settings\Owner\Application Data\PriceGong

c:\documents and settings\Owner\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Owner\Application Data\PriceGong\Data\z.xml

c:\program files\Registry Helper

c:\program files\Registry Helper\background.jpg

c:\program files\Registry Helper\delete_invalid_entries_grey.jpg

c:\program files\Registry Helper\ErrorFound.wav

c:\program files\Registry Helper\header.gif

c:\program files\Registry Helper\help.chm

c:\program files\Registry Helper\letter.htm

c:\program files\Registry Helper\letter1.htm

c:\program files\Registry Helper\letter2.htm

c:\program files\Registry Helper\letter3.htm

c:\program files\Registry Helper\letter4.htm

c:\program files\Registry Helper\letter5.htm

c:\program files\Registry Helper\logo.jpg

c:\program files\Registry Helper\print_16.gif

c:\program files\Registry Helper\Registry Helper.url

.

-- Previous Run --

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{FE089BEC-08DB-47A9-949D-277A89EB0AB7}\RP5\A0002246.exe

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{FE089BEC-08DB-47A9-949D-277A89EB0AB7}\RP5\A0002246.exe

.

c:\windows\system32\SearchIndexer.exe . . . is infected!!

.

--------

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_aa358f63

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))

.

.

2011-08-28 19:17 . 2011-08-28 19:17 -------- d-----w- c:\windows\system32\New Folder

2011-08-28 18:08 . 2011-02-16 13:25 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2011-08-28 18:08 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-28 17:46 . 2011-08-28 17:47 -------- d-----w- c:\documents and settings\Administrator

2011-08-24 19:15 . 2011-08-24 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}

2011-08-24 17:53 . 2011-08-28 17:55 43408 --sha-w- c:\windows\system32\c_49133.nl_

2011-08-24 17:20 . 2011-08-24 17:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2011-08-24 17:20 . 2011-08-24 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-23 19:36 . 2011-08-23 19:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\program files\Windows Desktop Search

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\windows\system32\GroupPolicy

2011-08-23 18:07 . 2011-08-23 18:07 -------- d-----w- c:\program files\Windows Media Connect 2

2011-08-23 18:01 . 2011-08-23 18:01 -------- d-----w- c:\windows\system32\URTTEMP

2011-08-23 17:27 . 2011-05-24 18:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-23 17:16 . 2011-08-23 17:16 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-21 11:40 . 2011-08-23 17:16 -------- d-----w- c:\program files\TubeDownloader

2011-08-20 11:09 . 2011-08-20 11:09 2450944 ----a-w- c:\windows\system32\setb3.tmp

2011-08-20 11:06 . 2011-08-20 11:08 -------- d-----w- c:\windows\system32\drivers\UMDF

2011-08-11 08:07 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-02 12:02 . 2011-08-02 12:02 -------- d-----w- c:\documents and settings\Owner\Application Data\CompuClever

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-28 17:55 . 2004-08-04 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-08-27 18:55 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-24 17:52 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2010-02-24 18:47 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2004-10-11 18:46 . 2004-10-11 18:46 205312 -c--a-w- c:\program files\ltefx13n.dll

2004-01-19 13:31 . 2004-01-19 13:31 153600 -c--a-w- c:\program files\ltfil13n.DLL

2004-01-19 12:31 . 2004-01-19 12:31 27648 -c--a-w- c:\program files\lfiff13n.dll

2004-01-19 12:31 . 2004-01-19 12:31 20480 -c--a-w- c:\program files\lfCUT13n.dll

2004-01-19 11:31 . 2004-01-19 11:31 453120 -c--a-w- c:\program files\ltkrn13n.dll

2004-01-19 11:12 . 2004-01-19 11:12 89600 -c--a-w- c:\program files\Lfcgm13n.dll

2004-01-19 10:49 . 2004-01-19 10:49 278016 -c--a-w- c:\program files\LFJ2K13n.dll

2004-01-19 10:49 . 2004-01-19 10:49 180736 -c--a-w- c:\program files\Lfpng13n.dll

2004-01-19 10:47 . 2004-01-19 10:47 76800 -c--a-w- c:\program files\Lfwmf13n.dll

2004-01-19 10:47 . 2004-01-19 10:47 509440 -c--a-w- c:\program files\LFCMW13n.dll

2004-01-19 10:45 . 2004-01-19 10:45 420352 -c--a-w- c:\program files\LFCMP13n.DLL

2004-01-19 10:44 . 2004-01-19 10:44 143872 -c--a-w- c:\program files\lftif13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 56832 -c--a-w- c:\program files\lfpsd13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 19968 -c--a-w- c:\program files\lfpcd13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 26624 -c--a-w- c:\program files\lfpcx13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 65536 -c--a-w- c:\program files\Lfpct13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 18944 -c--a-w- c:\program files\lfmsp13n.dll

2004-01-19 10:35 . 2004-01-19 10:35 18944 -c--a-w- c:\program files\lfmac13n.dll

2004-01-19 10:35 . 2004-01-19 10:35 20992 -c--a-w- c:\program files\lfimg13n.dll

2004-01-19 10:34 . 2004-01-19 10:34 31744 -c--a-w- c:\program files\lfclp13n.dll

2004-01-19 10:34 . 2004-01-19 10:34 30208 -c--a-w- c:\program files\lfbmp13n.dll

2004-01-19 10:33 . 2004-01-19 10:33 444928 -c--a-w- c:\program files\ltimg13n.dll

2004-01-19 10:32 . 2004-01-19 10:32 265216 -c--a-w- c:\program files\LTDIS13n.dll

2000-05-02 03:17 . 2000-05-02 03:17 212480 -c--a-w- c:\program files\PCDLIB32.DLL

1999-11-18 22:00 . 1999-11-18 22:00 284032 -c--a-w- c:\program files\XceedZip.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

"Philips Intelligent Agent"="c:\program files\Philips\Intelligent Agent\Philips Intelligent Agent.exe" [2008-02-21 613792]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]

"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AFD"="c:\windows\Regedit.exe" [2008-04-14 146432]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2010-6-5 241664]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\WINDOWS\\system32\\msfeedssync.exe"=

"c:\\Program Files\\Iminent\\IMBooster\\inst\\Bootstrapper\\Bootstrapper.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"g:\\TDSKiller.exe"=

"g:\\esetsmartinstaller_enu.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

.

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [03/11/2004 15:14 267136]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 cpuz129;cpuz129;\??\c:\program files\PC Wizard 2008\pcwiz32.sys --> c:\program files\PC Wizard 2008\pcwiz32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [05/06/2010 08:35 8576]

S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [05/06/2010 08:35 461056]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1645522239-839522115-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 18:49]

.

2011-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1645522239-839522115-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 18:49]

.

2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{1F528E9E-EDF1-402B-8111-4FDBCFBE38DC}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

Trusted Zone: live.com\co104w.col104.mail

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

SafeBoot-32260167.sys

SafeBoot-35947086.sys

SafeBoot-42931971.sys

SafeBoot-86277265.sys

AddRemove-SiS7012 - c:\program files\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012

AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-28 20:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-08-28 20:29:29

ComboFix-quarantined-files.txt 2011-08-28 19:29

.

Pre-Run: 10,946,035,712 bytes free

Post-Run: 10,906,226,688 bytes free

.

- - End Of File - - 7221AA555BB4DD22DFDC7CC8EE29BCC4

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

Hi there,

Thanks for the help.

I still cannot access control panel or folder options window to display hidden files.

I've tried running control and explorer from the task manager, but get this error:

"Windows cannot access the specified file or path. You may not have the appropriate permissions to access."

Running 'control folders' does nothing.

any idea how to show the hidden folders?

I have rerun combofix anyway:

ComboFix 11-08-27.01 - Owner 29/08/2011 17:27:27.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.155 [GMT 1:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))

.

.

2011-08-28 19:17 . 2011-08-28 19:17 -------- d-----w- c:\windows\system32\New Folder

2011-08-28 18:08 . 2011-02-16 13:25 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2011-08-28 18:08 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-08-28 17:46 . 2011-08-28 17:47 -------- d-----w- c:\documents and settings\Administrator

2011-08-24 19:15 . 2011-08-24 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}

2011-08-24 17:53 . 2011-08-28 17:55 43408 --sha-w- c:\windows\system32\c_49133.nl_

2011-08-24 17:20 . 2011-08-24 17:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2011-08-24 17:20 . 2011-08-24 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-23 19:36 . 2011-08-23 19:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\program files\Windows Desktop Search

2011-08-23 18:09 . 2011-08-23 18:09 -------- d-----w- c:\windows\system32\GroupPolicy

2011-08-23 18:07 . 2011-08-23 18:07 -------- d-----w- c:\program files\Windows Media Connect 2

2011-08-23 18:01 . 2011-08-23 18:01 -------- d-----w- c:\windows\system32\URTTEMP

2011-08-23 17:27 . 2011-05-24 18:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-23 17:16 . 2011-08-23 17:16 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-21 11:40 . 2011-08-23 17:16 -------- d-----w- c:\program files\TubeDownloader

2011-08-20 11:09 . 2011-08-20 11:09 2450944 ----a-w- c:\windows\system32\setb3.tmp

2011-08-20 11:06 . 2011-08-20 11:08 -------- d-----w- c:\windows\system32\drivers\UMDF

2011-08-11 08:07 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-02 12:02 . 2011-08-02 12:02 -------- d-----w- c:\documents and settings\Owner\Application Data\CompuClever

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-28 17:55 . 2004-08-04 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-08-27 18:55 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-24 17:52 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2010-02-24 18:47 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2004-10-11 18:46 . 2004-10-11 18:46 205312 -c--a-w- c:\program files\ltefx13n.dll

2004-01-19 13:31 . 2004-01-19 13:31 153600 -c--a-w- c:\program files\ltfil13n.DLL

2004-01-19 12:31 . 2004-01-19 12:31 27648 -c--a-w- c:\program files\lfiff13n.dll

2004-01-19 12:31 . 2004-01-19 12:31 20480 -c--a-w- c:\program files\lfCUT13n.dll

2004-01-19 11:31 . 2004-01-19 11:31 453120 -c--a-w- c:\program files\ltkrn13n.dll

2004-01-19 11:12 . 2004-01-19 11:12 89600 -c--a-w- c:\program files\Lfcgm13n.dll

2004-01-19 10:49 . 2004-01-19 10:49 278016 -c--a-w- c:\program files\LFJ2K13n.dll

2004-01-19 10:49 . 2004-01-19 10:49 180736 -c--a-w- c:\program files\Lfpng13n.dll

2004-01-19 10:47 . 2004-01-19 10:47 76800 -c--a-w- c:\program files\Lfwmf13n.dll

2004-01-19 10:47 . 2004-01-19 10:47 509440 -c--a-w- c:\program files\LFCMW13n.dll

2004-01-19 10:45 . 2004-01-19 10:45 420352 -c--a-w- c:\program files\LFCMP13n.DLL

2004-01-19 10:44 . 2004-01-19 10:44 143872 -c--a-w- c:\program files\lftif13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 56832 -c--a-w- c:\program files\lfpsd13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 19968 -c--a-w- c:\program files\lfpcd13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 26624 -c--a-w- c:\program files\lfpcx13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 65536 -c--a-w- c:\program files\Lfpct13n.dll

2004-01-19 10:36 . 2004-01-19 10:36 18944 -c--a-w- c:\program files\lfmsp13n.dll

2004-01-19 10:35 . 2004-01-19 10:35 18944 -c--a-w- c:\program files\lfmac13n.dll

2004-01-19 10:35 . 2004-01-19 10:35 20992 -c--a-w- c:\program files\lfimg13n.dll

2004-01-19 10:34 . 2004-01-19 10:34 31744 -c--a-w- c:\program files\lfclp13n.dll

2004-01-19 10:34 . 2004-01-19 10:34 30208 -c--a-w- c:\program files\lfbmp13n.dll

2004-01-19 10:33 . 2004-01-19 10:33 444928 -c--a-w- c:\program files\ltimg13n.dll

2004-01-19 10:32 . 2004-01-19 10:32 265216 -c--a-w- c:\program files\LTDIS13n.dll

2000-05-02 03:17 . 2000-05-02 03:17 212480 -c--a-w- c:\program files\PCDLIB32.DLL

1999-11-18 22:00 . 1999-11-18 22:00 284032 -c--a-w- c:\program files\XceedZip.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

"Philips Intelligent Agent"="c:\program files\Philips\Intelligent Agent\Philips Intelligent Agent.exe" [2008-02-21 613792]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]

"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2010-6-5 241664]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\WINDOWS\\system32\\msfeedssync.exe"=

"c:\\Program Files\\Iminent\\IMBooster\\inst\\Bootstrapper\\Bootstrapper.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"g:\\TDSKiller.exe"=

"g:\\esetsmartinstaller_enu.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

.

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [03/11/2004 15:14 267136]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]

S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 cpuz129;cpuz129;\??\c:\program files\PC Wizard 2008\pcwiz32.sys --> c:\program files\PC Wizard 2008\pcwiz32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [05/06/2010 08:35 8576]

S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [05/06/2010 08:35 461056]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 49032825

*Deregistered* - 49032825

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1645522239-839522115-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 18:49]

.

2011-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1645522239-839522115-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 18:49]

.

2011-08-29 c:\windows\Tasks\User_Feed_Synchronization-{1F528E9E-EDF1-402B-8111-4FDBCFBE38DC}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mystart.incredimail.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

Trusted Zone: live.com\co104w.col104.mail

TCP: DhcpNameServer = 192.168.1.254

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-29 17:33

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-08-29 17:36:26

ComboFix-quarantined-files.txt 2011-08-29 16:36

ComboFix2.txt 2011-08-28 19:29

.

Pre-Run: 10,908,155,904 bytes free

Post-Run: 10,896,224,256 bytes free

.

- - End Of File - - 5574E243C97CA764857BCA5268E86080

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Is this a business owned pc?

The reason I ask is, if it is, the administrator might have set a policy to restrict access to some tools / programs.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\windows\system32\c_49133.nl_

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

Hi,

I'm not sure if its a business PC or not. My neighbour bought it second hand. His account is an admin account, if this makes any difference..maybe this things are decided on install.

Anyway I must admit I'm stuck...

I booted the PC to upload the file you mentioned and whereas previously I could access a functioning internet explorer via iexplore command line,

now I get internet explorer, but it won't connect to the internet. Clicking on the XP troubleshooter gives:

"Windows has detected an error with the winsoc providser catalogue. Would you like to reset to default?"

I did and restarted, but no connectivity to the internet.

I also attempted to find the file "c:\windows\system32\c_49133.nl_", but it does not show up in any browse window (ie the taskmanager-file--runcommand-browse window - my only way of viewing files because explorer is broken).

Wow this PC is in trouble. Any ideas where to go from here?

Thanks for your ongoing help.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

OK. Try this instead.

This file will fit on your thumb drive.

http://www.snapfiles.com/get/winsockxpfix.html

Get a copy of winsockxpfix.exe, save it to the thumb drive and copy it to the infected computer.

You just run it by double clicking on the downloaded file after you copy it to the non-working computer.

Things should work OK after it reboots your system.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

If there is:

Let’s try to reset the router to its default configuration.

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

Hi,

I reset the router and restarted the pc.

Iexplore still not able to acces the internet. Ie offered a troubleshooter which I ran - it didn't work but gave a

diagnostic log:

Error validating windsock base providers 2. Not all base service provider entries in windsock catalogue. A reset is needed.

Hmmm. Should I try another reset and running the xpwinsoc fix again?

I'm wondering if I should remove the harddrive and put it in my (well protected) win7 machIne and copy the docs and pics to a safe place then reformat with new xp...

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

You can try winsoc fix again and also:

Below are the steps to repair the Winsock.dll registry entry :-

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Next:

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2]

On the desktop, doubleclick fixme.reg and allow it to run. Let it merge and then reboot.

After the reboot, we will reinstall TCP/IP

  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box

After that, Reboot your computer and see if you have regained your connection.

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

still no internet ;( . this is what I tried:

Reset router and ran XPwinsoc thigy again. No connection.

The reg backup worked and the regedit ran and merged.

On reboot: no icons available so I ran netconnections applet at the command line.

but - it doesnt run so I cant reinstall the TPC/IP.

I tried reseting TCP/IP at the commandline using

netsh int ip reset C:\resetlog.txt

But it didn't fix it...

Not sure where to try next. Any hints?

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

This is about all I can think of

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

regsvr32 netshell.dll

regsvr32 netcfgx.dll

regsvr32 netman.dll

netsh winsock reset catalog

netsh int ipv4 reset reset.log

netsh int ipv6 reset reset.log

Exit

Restart the computer.

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /renew

IPCONFIG /flushdns

IPCONFIG /registerdns

Exit

Restart the computer.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

I had another topic like this.

You can try this if you have the Windows OS CD.

You can use windows sfc (system file checker) You'd need your XP CD to make this work.

Click Start> Run> type sfc /scannow Note the space.

(Note that there is a space between sfc and /scannow)

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

So - this is one sick PC...

In summary - still no internet access.

This is what happened:

The first 4 commands you suggested worked fine, then

netsh int ipv4 reset reset.log

produced a file not found error.

IPCONFIG /renew

produced an error: RPC server unavailable.

No internet access on restart :(

Meanwhile - I copied the file c:\windows\system32\c_49133.nl_ onto a USB stick and copied to my old PC (don't worry - its out of use and about to be reformatted! When I tried to upload to http://www.virustotal.com/ an error appeared 'file access denied'. Microsoft security essentials then popped up and reported a suspicious process " smadow.gen!.B " and advised immediate deletion, which I did.

The situation gives me a feeling of doom - so in preparation I've used xcopy to copy my neighbour's My Docs to a USB stick in preparation of reformat and reinstall.

My neighbour bought his PC second hand and does not have the XP disc or any backup. I have an old copy of XP home edition which I shall donate to him to run the system file checker, and to do a slipstream reinstall if it comes to that...

Many thanks

Link to post
Share on other sites
jimcarmichael

jimcarmichael

Posted
  • Author
Posted

Not really! But he'll gave to throw it away if it can't be fixed.

They've definitely not any cash to get it fixed.

Anyway - the sfc seemed to hang, maybe because it was a different disc to the one used to install...

I've decided the pc is too broken and gone for formatting and reinstalling from my old xp disc.

Thank you for your help - neighbour also grateful!

I wonder if, with infinite time, we'd have got it back?

Thanks again - I will get myself a full copy

Of malwarebytes ;)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.