Jump to content

Continuous Outgoing Blocks, Unable to Find the Source

FatMagic

By FatMagic
in Resolved Malware Removal Logs

 Share

Recommended Posts

FatMagic

FatMagic

Posted
Posted

Hello!

Here's my trouble, and what I've done. I'm working on a client's PC attempting to fully clean it without reformatting (this can be easiest, but not in this case). First it started with getting a Scareware pop up for Security something or other. I've seen these a million times. I have MalwareBytes PRO installed and running on the PC, although it seems as though it got disabled at some point. Re-enabled, fully scanned, cleared out a bunch of crap. But I am still getting outgoing blocks on MalwareBytes PRO. I then ran McAfee Enterprise 8.8 full scan after it was fully updated. Found a "rootkit" which it says was deleted... but afterwards still getting the outgoing blocks.

And after finally running ComboFix, I'm still getting a browser redirection :( Defogger is still "enabled".

So I'm a bit clueless as what to do next since my typical tools are failing me.

And here are remaining log files as needed:

MalwareBytes (Full Scan, Run yesterday - the Quick Scan I ran today AFTER ComboFix came back clean):

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8132

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/10/2011 12:42:57 PM
mbam-log-2011-11-10 (12-42-57).txt

Scan type: Quick scan
Objects scanned: 206270
Time elapsed: 12 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\158F.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\2EFA.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\43C8.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\5922.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\804F.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\AFB1.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\D91D.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\privacy.exe (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

MalwareBytes (Protection Log from today 11/11/11):

08:33:25	mikesteiner	MESSAGE	Protection started successfully
08:33:29	mikesteiner	MESSAGE	IP Protection started successfully
08:38:04	mikesteiner	IP-BLOCK	38.99.183.25 (Type: outgoing)
08:38:07	mikesteiner	IP-BLOCK	38.99.183.25 (Type: outgoing)
08:38:13	mikesteiner	IP-BLOCK	38.99.183.25 (Type: outgoing)
08:38:25	mikesteiner	IP-BLOCK	38.99.183.32 (Type: outgoing)
08:38:28	mikesteiner	IP-BLOCK	38.99.183.32 (Type: outgoing)
08:38:34	mikesteiner	IP-BLOCK	38.99.183.32 (Type: outgoing)
08:38:46	mikesteiner	IP-BLOCK	38.99.183.25 (Type: outgoing)

(truncated for length, way too much of the same thing here)

D.D.S:

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 7.0.5730.13  BrowserJavaVersion: 1.6.0_29
Run by mikesteiner at 13:44:04 on 2011-11-11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3317.2521 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ACT\Act for Windows\Act.Outlook.Sync.exe
C:\Program Files\Microsoft SQL Server\80\TOOLS\BINN\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = 
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111110161511.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [jusched] c:\windows\temp\kjghsad.exe
StartupFolder: c:\docume~1\mikest~1\startm~1\programs\startup\cyber-~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sageac~1.lnk - c:\program files\act\act for windows\Act.Outlook.Sync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 172.20.65.18 172.20.65.12
TCP: Interfaces\{97686254-0B42-4A33-A213-770E18FD2058} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{97686254-0B42-4A33-A213-770E18FD2058} : DhcpNameServer = 172.20.65.18 172.20.65.12
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mikesteiner\application data\mozilla\firefox\profiles\ggqnyac6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://easyfit.com/
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-11-4 436728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-11-10 88544]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-23 366152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-11-10 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-11-10 145936]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\sqlservr.exe [2010-5-5 42884448]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-10-29 2521880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-23 22216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-4 171296]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-4 58456]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 Sage ACT! Scheduler;Sage ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-11-11 81920]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-11-10 85152]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-5-5 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\microsoft sql server\mssql10_50.act7\mssql\binn\SQLAGENT.EXE [2010-5-5 367456]
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2011-11-10 21:16:21	--------	d-----w-	c:\documents and settings\mikesteiner\application data\McAfee
2011-11-10 21:15:15	74848	----a-w-	c:\windows\system32\MfeOtlkAddin.dll
2011-11-10 21:15:15	22816	----a-w-	c:\windows\system32\MFEOtlk.dll
2011-11-10 21:15:11	24376	----a-w-	c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-11-10 21:15:09	9344	----a-w-	c:\windows\system32\drivers\mfeclnk.sys
2011-11-10 21:15:09	88544	----a-w-	c:\windows\system32\drivers\mfetdi2k.sys
2011-11-10 21:15:09	85152	----a-w-	c:\windows\system32\drivers\mferkdet.sys
2011-11-10 21:15:09	145936	----a-w-	c:\windows\system32\mfevtps.exe
2011-11-08 06:53:34	6668624	----a-w-	c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{45f50bb4-7dc6-4ea9-a475-72a9b6845617}\mpengine.dll
.
==================== Find3M  ====================
.
2011-11-11 18:42:21	1682	--sha-w-	c:\documents and settings\all users\application data\KGyGaAvL.sys
2011-11-10 21:13:25	58456	----a-w-	c:\windows\system32\drivers\mfebopk.sys
2011-11-10 21:13:25	436728	----a-w-	c:\windows\system32\drivers\mfehidk.sys
2011-11-10 21:13:25	171296	----a-w-	c:\windows\system32\drivers\mfeavfk.sys
2011-11-10 21:13:25	116104	----a-w-	c:\windows\system32\drivers\mfeapfk.sys
2011-10-20 12:20:14	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-26 15:41:20	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 15:41:14	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-06 13:20:51	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-08-31 22:00:50	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-08-17 21:32:17	832512	----a-w-	c:\windows\system32\wininet.dll
2011-08-17 21:32:16	78336	----a-w-	c:\windows\system32\ieencode.dll
2011-08-17 21:32:16	1830912	------w-	c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15	17408	----a-w-	c:\windows\system32\corpol.dll
2011-08-17 13:49:54	138496	----a-w-	c:\windows\system32\drivers\afd.sys
2011-08-17 12:22:23	389120	----a-w-	c:\windows\system32\html.iec
.
============= FINISH: 13:50:40.77 ===============

ComboFix (ran this today):


ComboFix 11-11-11.04 - mikesteiner 11/11/2011  15:05:03.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3317.2746 [GMT -5:00]
Running from: c:\documents and settings\mikesteiner\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mikesteiner\Local Settings\Application Data\Windows Server
c:\documents and settings\mikesteiner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\mikesteiner\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\$NtUninstallKB15253$
c:\windows\$NtUninstallKB15253$\1697734308\@
c:\windows\$NtUninstallKB15253$\1697734308\bckfg.tmp
c:\windows\$NtUninstallKB15253$\1697734308\cfg.ini
c:\windows\$NtUninstallKB15253$\1697734308\Desktop.ini
c:\windows\$NtUninstallKB15253$\1697734308\keywords
c:\windows\$NtUninstallKB15253$\1697734308\kwrd.dll
c:\windows\$NtUninstallKB15253$\1697734308\L\rohepcid
c:\windows\$NtUninstallKB15253$\1697734308\lsflt7.ver
c:\windows\$NtUninstallKB15253$\1697734308\U\00000001.@
c:\windows\$NtUninstallKB15253$\1697734308\U\00000002.@
c:\windows\$NtUninstallKB15253$\1697734308\U\00000004.@
c:\windows\$NtUninstallKB15253$\1697734308\U\80000000.@
c:\windows\$NtUninstallKB15253$\1697734308\U\80000004.@
c:\windows\$NtUninstallKB15253$\1697734308\U\80000032.@
c:\windows\$NtUninstallKB15253$\402726942
c:\windows\system32\drivers\etc\lmhosts
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected 
Restored copy from - The cat found it 
c:\windows\system32\ws2_32.dll . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-11 to 2011-11-11  )))))))))))))))))))))))))))))))
.
.
2011-11-11 19:27 . 2008-04-14 12:00	64512	----a-w-	c:\windows\system32\drivers\serial.sys
2011-11-11 19:07 . 2011-11-11 19:07	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-11-10 21:16 . 2011-11-10 21:16	--------	d-----w-	c:\documents and settings\mikesteiner\Application Data\McAfee
2011-11-10 21:15 . 2011-11-10 21:13	74848	----a-w-	c:\windows\system32\MfeOtlkAddin.dll
2011-11-10 21:15 . 2011-11-10 21:13	22816	----a-w-	c:\windows\system32\MFEOtlk.dll
2011-11-10 21:15 . 2011-11-10 21:13	24376	----a-w-	c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
2011-11-10 21:15 . 2011-11-10 21:13	9344	----a-w-	c:\windows\system32\drivers\mfeclnk.sys
2011-11-10 21:15 . 2011-11-10 21:13	88544	----a-w-	c:\windows\system32\drivers\mfetdi2k.sys
2011-11-10 21:15 . 2011-11-10 21:13	85152	----a-w-	c:\windows\system32\drivers\mferkdet.sys
2011-11-10 21:15 . 2011-11-10 21:13	145936	----a-w-	c:\windows\system32\mfevtps.exe
2011-11-10 07:24 . 2011-11-10 07:24	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-08 06:53 . 2011-10-07 03:48	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{45F50BB4-7DC6-4EA9-A475-72A9B6845617}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 18:42 . 2010-12-21 18:47	1682	--sha-w-	c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-11-10 21:13 . 2008-11-04 15:47	58456	----a-w-	c:\windows\system32\drivers\mfebopk.sys
2011-11-10 21:13 . 2008-11-04 15:47	436728	----a-w-	c:\windows\system32\drivers\mfehidk.sys
2011-11-10 21:13 . 2008-11-04 15:47	171296	----a-w-	c:\windows\system32\drivers\mfeavfk.sys
2011-11-10 21:13 . 2008-11-04 15:47	116104	----a-w-	c:\windows\system32\drivers\mfeapfk.sys
2011-10-20 12:20 . 2011-06-21 12:43	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-04-25 21:27	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2008-11-04 15:52	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 10:06 . 2010-05-20 19:01	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2008-10-29 15:57	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-26 15:41 . 2008-04-25 16:16	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2007-10-09 18:03	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-25 16:16	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-25 16:16	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2009-01-23 15:54	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-08-17 21:32 . 2008-04-25 16:16	832512	----a-w-	c:\windows\system32\wininet.dll
2011-08-17 21:32 . 2008-04-25 16:16	78336	----a-w-	c:\windows\system32\ieencode.dll
2011-08-17 21:32 . 2008-04-25 16:16	1830912	------w-	c:\windows\system32\inetcpl.cpl
2011-08-17 21:32 . 2008-04-25 16:16	17408	----a-w-	c:\windows\system32\corpol.dll
2011-08-17 13:49 . 2008-04-25 16:16	138496	----a-w-	c:\windows\system32\drivers\afd.sys
2011-08-17 12:22 . 2008-04-25 16:16	389120	----a-w-	c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . E2D3EDE34F7C01F3666442474487A1F8 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
[-] 1601-01-01 00:00 . !HASH: COULD NOT OPEN FILE !!!!! . 0 . . [------] . . c:\windows\system32\drivers\acpiec.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2008-12-04 24576]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2010-11-11 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2010-11-11 337224]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
.
c:\documents and settings\mikesteiner\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-5-14 155648]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Sage ACT! Outlook Sync.lnk - c:\program files\ACT\Act for Windows\Act.Outlook.Sync.exe [2010-11-11 91136]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2008-12-4 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2008-12-2 31744]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 22:11	640440	----a-w-	c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 19:53	40376	----a-w-	c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 19:44	178712	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 14:57	128296	------w-	c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/10/2011 4:15 PM 88544]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/23/2009 10:54 AM 366152]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/10/2011 4:15 PM 145936]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe [5/5/2010 9:40 PM 42884448]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [10/29/2008 10:57 AM 2521880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/23/2009 10:54 AM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/11/2011 2:07 PM 136176]
S2 Sage ACT! Scheduler;Sage ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [11/11/2010 1:00 AM 81920]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/11/2011 2:07 PM 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/10/2011 4:15 PM 85152]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [5/5/2010 9:41 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$ACT7;SQL Server Agent (ACT7);c:\program files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE [5/5/2010 9:40 PM 367456]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-11 19:07]
.
2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-11 19:07]
.
2011-11-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.20.65.18 172.20.65.12
TCP: Interfaces\{97686254-0B42-4A33-A213-770E18FD2058}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\mikesteiner\Application Data\Mozilla\Firefox\Profiles\ggqnyac6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://easyfit.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 15:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(376)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hccutils.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\rdpclip.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Trend Micro\HiJackThis\HiJackThis.exe
.
**************************************************************************
.
Completion time: 2011-11-11  16:31:54 - machine was rebooted
ComboFix-quarantined-files.txt  2011-11-11 21:24
.
Pre-Run: 135,139,557,376 bytes free
Post-Run: 135,820,328,960 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5AAEC72E82C75B1DA4E1633CE0148D56

attach.zip

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Here's my trouble, and what I've done. I'm working on a client's PC attempting to fully clean it without reformatting (this can be easiest, but not in this case). First it started with getting a Scareware pop up for Security something or other. I've seen these a million times. I have MalwareBytes PRO installed and running on the PC, although it seems as though it got disabled at some point. Re-enabled, fully scanned, cleared out a bunch of crap. But I am still getting outgoing blocks on MalwareBytes PRO. I then ran McAfee Enterprise 8.8 full scan after it was fully updated. Found a "rootkit" which it says was deleted... but afterwards still getting the outgoing blocks.

Do you have proper licensing to be using MBAM on clients' computers?
Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

My apologies for the delay.

Did you just buy personal licenses or did you get corporate licensing?

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.