Thanks for the help.
I will run the Malbytes and Combofix scans. Want to make sure I don't need to do anything about Defogger just yet?
Thanks for the help.
I will run the Malbytes and Combofix scans. Want to make sure I don't need to do anything about Defogger just yet?
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Malwarebytes' Anti-Malware 1.44
Database version: 3834
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/7/2010 5:43:43 PM
mbam-log-2010-03-07 (17-43-43).txt
Scan type: Full Scan (C:\|)
Objects scanned: 161283
Time elapsed: 18 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix 10-03-07.02 - Pezzini 03/07/2010 18:36:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.545 [GMT -8:00]
Running from: c:\documents and settings\Pezzini\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\autorun.ini
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.
2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\documents and settings\Pezzini\Application Data\Malwarebytes
2010-03-07 23:24 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-07 23:24 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 19:19 . 2010-03-07 19:19 -------- d-sh--w- c:\documents and settings\Pezzini\IECompatCache
2010-03-05 05:24 . 2010-03-05 05:24 -------- d-----w- C:\rsit
2010-03-05 05:24 . 2010-03-05 05:24 -------- d-----w- c:\program files\trend micro
2010-02-27 18:04 . 2010-02-27 18:08 -------- d-----w- c:\windows\system32\autorun
2010-02-26 17:15 . 2010-02-26 17:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-26 04:05 . 2010-02-26 04:05 -------- d-----w- C:\found.000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 21:27 . 2009-07-15 21:08 -------- d-----w- c:\program files\Java
2010-03-07 21:25 . 2010-03-07 21:25 152576 ----a-w- c:\documents and settings\Pezzini\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-07 21:25 . 2010-03-07 21:25 79488 ----a-w- c:\documents and settings\Pezzini\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-07 19:45 . 2009-08-09 16:04 -------- d-----w- c:\program files\McAfee
2010-03-07 19:19 . 2010-03-07 19:18 20829680 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-07 19:18 . 2010-03-07 19:18 8405312 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-07 19:18 . 2010-03-07 19:18 149000 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-07 19:17 . 2010-03-07 19:17 10309448 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-07 19:16 . 2010-03-07 19:16 283280 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-07 19:16 . 2010-03-07 19:16 181768 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-07 19:16 . 2010-03-07 19:16 79368 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 19:16 . 2010-03-07 19:16 64000 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-07 19:16 . 2010-03-07 19:16 52288 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-07 19:16 . 2010-03-07 19:16 50688 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-07 19:16 . 2010-03-07 19:16 49152 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-07 19:16 . 2010-03-07 19:16 118784 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-05 04:38 . 2010-03-05 04:38 439816 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\setup.exe
2010-03-05 04:38 . 2010-03-05 04:38 439816 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\temp\~Upg0\setup.exe
2010-03-05 04:38 . 2010-03-05 04:38 118784 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\temp\~Upg0\install.dll
2010-02-27 18:45 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-27 17:29 . 2009-03-02 22:15 7246 ----a-w- c:\documents and settings\Pezzini\Application Data\wklnhst.dat
2010-02-26 16:38 . 2009-02-18 22:38 -------- d-----w- c:\program files\Google
2010-02-26 05:42 . 2009-06-13 20:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-26 05:36 . 2009-08-21 21:01 -------- d-----w- c:\documents and settings\Pezzini\Application Data\U3
2010-02-12 17:24 . 2010-01-01 06:51 69 ----a-w- c:\documents and settings\Pezzini\jagex_runescape_preferences2.dat
2010-02-12 17:24 . 2009-07-15 21:14 41 ----a-w- c:\documents and settings\Pezzini\jagex_runescape_preferences.dat
2010-01-22 15:02 . 2009-08-26 02:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 16:50 . 2009-03-13 16:42 60592 ----a-w- c:\documents and settings\Pezzini\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-18 17:55 . 2009-03-20 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-31 16:50 . 2008-04-15 03:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-04-15 03:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-15 03:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2008-04-15 03:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-04-15 03:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"M3000Mnt"="M3000Rmv.dll " [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-18 24064]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-24 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/9/2009 8:08 AM 93320]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 8:01 AM 151936]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/18/2009 2:38 PM 24064]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/18/2009 2:43 PM 96856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/7/2010 3:24 PM 38224]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{1A45FF0C-DF59-4B11-B7C0576459748470}
.
Contents of the 'Scheduled Tasks' folder
2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-08-09 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-09 19:22]
2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-09 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 18:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860AF678]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf776bf28
\Driver\ACPI -> 0x860af678
\Driver\atapi -> atapi.sys @ 0xf75fe852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x84174330
PacketIndicateHandler -> NDIS.sys @ 0xf74d2a21
SendHandler -> NDIS.sys @ 0xf74c6d44
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1764)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\Pezzini\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-07 18:58:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 02:57
Pre-Run: 137,222,217,728 bytes free
Post-Run: 138,469,056,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 77A45D532558201A18F44F1B60D727C2
Download GMER's MBR.exe to your desktop.
Double click on the MBR.exe file to run it. A log will be produced, MBR.log.
Please open this log in Notepad and post its contents in your next reply.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
tealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8685a320
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x849d6330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Please move MBR.exe directly on to your C:\ drive then do the following
click Start > Run
Type in mbr.exe -f
(Note the space between mbr.exe and -f)
Then click OK.
When you have finished the above, reboot your machine.
Now double click on MBR.exe and post that log
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY