SMSS.exe shows up in windows/temp after reboot [Archive]

View Full Version : SMSS.exe shows up in windows/temp after reboot

howiem

2010-06-22, 11:31

MODS: REALLY, truly sorry for posting this originally in the wrong spot:

Please ZAP the cross-posted thread below.
http://forums.spybot.info/showthread.php?t=58204

Although I was offered advice there ( I figured I should go through the process).

Tried Mcafee, Spybot and Malwarebytes..... nothing helps.

This is my dds log.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ma at 20:34:59.41 on 21/06/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.582 [GMT -4:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Ma\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [Dit] Dit.exe
mRun: [ATI Tray] "c:\program files\ati technologies\ati.ace\CLI.exe" SystemTray
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://julielulie.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - hxxp://oweb.peelschools.org/jinitiator/jinit.exe
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ma\applic~1\mozilla\firefox\profiles\z5ds4qfr.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-12 343920]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-3-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-3-25 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-3-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-6-12 70728]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2005-12-14 1287296]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-12 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-12 43288]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2005-12-15 17408]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-12 66600]

=============== Created Last 30 ================

2010-06-15 16:57:30 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 16:48:12 0 d-----w- c:\docume~1\ma\applic~1\Malwarebytes
2010-06-13 04:06:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-13 04:06:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-13 04:06:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-13 04:06:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-13 02:03:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-13 02:03:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-12 22:01:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 19:24:46 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-06-12 19:24:46 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-12 18:58:37 0 d-----w- C:\kill
2010-06-12 18:57:48 0 d-----w- c:\program files\common files\Gibinsoft Shared
2010-06-12 18:57:47 0 d-----w- c:\program files\GiPo@Utilities
2010-06-12 17:31:20 0 d-----w- C:\QUARANTINE
2010-06-03 23:40:56 0 d-----w- C:\usbkey

==================== Find3M ====================

2010-06-22 00:35:03 17408 ----a-w- c:\windows\system32\drivers\USBCRFT.SYS
2010-06-15 16:57:29 578560 ----a-w- c:\windows\system32\user32.DLL
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-26 00:07:00 20768 ----a-w- c:\windows\system32\MFEOtlk.dll
2007-05-10 22:38:29 2343 ----a-w- c:\program files\Microsoft Office PowerPoint Viewer 2007.lnk
2005-12-15 23:12:15 8 --sh--r- c:\windows\system32\2BFE0AB571.sys
2005-12-15 23:12:15 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-07 01:11:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081007\index.dat

============= FINISH: 20:37:43.47 ===============

shelf life

2010-06-26, 03:23

hi,

Your post is a few days old. If you still need help simply reply to my post.

howiem

2010-06-26, 14:06

hi,

Your post is a few days old. If you still need help simply reply to my post.

;) Yes -- still waiting for help - patiently. :rolleyes:

~ Howie

shelf life

2010-06-26, 18:04

ok we can start with Combofix. there is a guide to read first. Read the guide then follow the directions and apply them on your own machine.
Before using combofix if you would
upload a copy of the SMSS.exe file to me:
Go here (http://www.bleepingcomputer.com/submit-malware.php?channel=67) browse for the file in the Windows dir. then upload it using the send file button.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

howiem

2010-06-27, 15:56

OK smss.exe only file uploaded... (from windows\system32)

Machine had 2 other copies under windows

// Same size as c:\windows\system32
c:\windows\servicepackfiles\i386

// same name smss.exe but vastly different size
c:\windows\i386\system32
size:470,016

Ran combofix

Checked on it later machine had rebooted (was on the login screen) - is this normal?

I didnt know where to look for a combo log if there is one.

Let me know what my next step is.

THANKS a MILLION for your help.

Howie

shelf life

2010-06-27, 21:20

I think combofix would have rebooted the machine if it suspected a root kit, but it would prompt you to reboot it. You can look for a log in your root drive C:
There should be a combofix folder there with the .txt log if all went ok.

If you dont find it try running Combofix in safe mode. to reach safe mode you would tap the f8 key during a computer restart. Chose the first option safe mode. Once at the safe mode desktop run combofix.

that file you uploaded is the 'legit' Windows SMSS.exe

c:\windows\i386\system32
size:470,016
Your sure thats the smss.exe file itself and not a entire folder

howiem

2010-06-27, 22:30

Your sure thats the smss.exe file itself and not a entire folder

I will check about it being a folder or a file.

I will look for the combo log and post it.

howiem

2010-06-28, 00:14

Yes absolutely sure the smss.exe in windows\i386\system32 is a file.

I have a screen shot of the file-properties, could also upload the file if you want it.

Not surprised the SMSS.EXE is authentic, the rogue smss.exe would show up in windows\temp ONLY after using IE for a while and doing some random google searches , the searches would redirect to spyware sites and then I would see the rogue file during a Spybot Search&Destroy, MalwareBytes or Mcafee scans.

I would get clean results after running the program several times only to have my IE browses hijacked again. The system when I started getting your help was just after I had cleaned it with Spybot/Malware/Mcafee.

If the problem still exists I am sure I can trigger it again with some random google searches and send you the SMSS.EXE that will show up in windows/temp - would you like me to do that - I have been avoiding it.

Finally I got the combofix log it is pasted below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86803EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dff28
\Driver\ACPI -> ACPI.sys @ 0xf7372cb8
\Driver\atapi -> atapi.sys @ 0xf732a852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Linksys Wireless-G PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7238b0a
PacketIndicateHandler -> NDIS.sys @ 0xf7243a21
SendHandler -> NDIS.sys @ 0xf7238949
user & kernel MBR OK

shelf life

2010-06-28, 03:53

ok thanks for the info. Where is the rest of the combofix log. Download and run Gmer;

Download the GMER utility and save to your desktop. http://www.gmer.net/gmer.zip
Extract the contents of the zipped file to your desktop
Double click GMER.exe to start.
If it gives you a warning about rootkit activity and asks if you want to run a scan...select--> NO

In the right panel, you will see several boxes that, by default, have already been checked. Please *uncheck* the following ...

* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All <--don't miss this one
click the Scan button & wait for it to finish.

When the scan is complete, click Save and save the log to your desktop. Post the log in your reply.

howiem

2010-06-28, 22:07

I thought I may have made a mistake whilst running combofix so I ran it again or good measure in an attempt to get a complete log, unfortunately it never even gets to "completed stage 1" the computer reboots - that is why the log is so short for combofix.

I ran Gmer complete log is below.

My expectation was not that things would be working by now, I can confirm that there is still nasties because now my Firefox as well as IE (redirect) to scareware sites.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-28 13:09:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\H\LOCALS~1\Temp\fxtdypow.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF71D6610]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF71D6624]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF71D65D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF71D65E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF71D664E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF71D663A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71D65FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79CBC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[824] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[824] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 04F5000A
.text C:\WINDOWS\System32\svchost.exe[824] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F5000A
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\wuauclt.exe[3508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[3508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86822EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

shelf life

2010-06-28, 22:56

ok. Lets go directly to tdsskiller:

Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop. Double click to launch the utility. Follow the prompts.

Please post the report.txt that will be generated in your root drive C:

labeled as: TDSSKiller verison_date_time_log.txt

howiem

2010-06-29, 13:49

Am I cured (fingers-crossed)...

07:41:43:505 2600 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
07:41:43:505 2600 ================================================================================
07:41:43:505 2600 SystemInfo:

07:41:43:505 2600 OS Version: 5.1.2600 ServicePack: 3.0
07:41:43:505 2600 Product type: Workstation
07:41:43:505 2600 ComputerName: M
07:41:43:505 2600 UserName: Ma
07:41:43:505 2600 Windows directory: C:\WINDOWS
07:41:43:505 2600 Processor architecture: Intel x86
07:41:43:505 2600 Number of processors: 2
07:41:43:505 2600 Page size: 0x1000
07:41:43:520 2600 Boot type: Normal boot
07:41:43:520 2600 ================================================================================
07:41:44:083 2600 Initialize success
07:41:44:083 2600
07:41:44:083 2600 Scanning Services ...
07:41:44:645 2600 Raw services enum returned 332 services
07:41:44:645 2600
07:41:44:645 2600 Scanning Drivers ...
07:41:46:302 2600 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:41:46:333 2600 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
07:41:46:395 2600 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
07:41:46:473 2600 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
07:41:46:567 2600 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
07:41:46:614 2600 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:41:46:645 2600 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
07:41:46:786 2600 ati2mtag (0c2ca1c294938139829b1983a0c38b31) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
07:41:46:848 2600 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:41:46:911 2600 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
07:41:46:973 2600 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
07:41:47:036 2600 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
07:41:47:192 2600 CardReaderFilter (66b71dd7794d3b8a88ccb645896d3e53) C:\WINDOWS\system32\Drivers\USBCRFT.SYS
07:41:47:348 2600 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
07:41:47:395 2600 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
07:41:47:427 2600 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
07:41:47:458 2600 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:41:47:630 2600 cmudax (d7fcada6833a0e243ca89c03bd559bd9) C:\WINDOWS\system32\drivers\cmudax.sys
07:41:47:739 2600 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
07:41:47:833 2600 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
07:41:47:911 2600 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
07:41:47:958 2600 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
07:41:48:005 2600 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
07:41:48:036 2600 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
07:41:48:083 2600 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
07:41:48:130 2600 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
07:41:48:161 2600 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
07:41:48:192 2600 FETND5BV (7d53d569892b46738e87f39c9aa8488a) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
07:41:48:302 2600 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
07:41:48:348 2600 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
07:41:48:380 2600 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
07:41:48:395 2600 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:41:48:427 2600 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:41:48:473 2600 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
07:41:48:614 2600 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:41:48:677 2600 HdAudAddService (160b24fd894e79e71c983ea403a6e6e7) C:\WINDOWS\system32\drivers\HdAudio.sys
07:41:49:083 2600 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
07:41:49:239 2600 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
07:41:49:317 2600 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:41:49:395 2600 ialm (240d0f5d7caafd87bd8d801a97bbe041) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
07:41:49:614 2600 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
07:41:49:661 2600 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
07:41:49:723 2600 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:41:49:755 2600 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
07:41:49:786 2600 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:41:49:864 2600 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:41:49:927 2600 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:41:49:989 2600 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:41:50:036 2600 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
07:41:50:083 2600 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:41:50:098 2600 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:41:50:145 2600 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
07:41:50:223 2600 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
07:41:50:270 2600 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
07:41:50:380 2600 mfeapfk (5cbf9d2fab2abc461b2f67c802f52543) C:\WINDOWS\system32\drivers\mfeapfk.sys
07:41:50:536 2600 mfeavfk (10718b3eeb9e98c5b4aad7c0a23a9efa) C:\WINDOWS\system32\drivers\mfeavfk.sys
07:41:50:677 2600 mfebopk (e665cff48e376b48d2cc84be1559f131) C:\WINDOWS\system32\drivers\mfebopk.sys
07:41:50:802 2600 mfehidk (e2f200d38b72e47b88489e2c97dfd6d8) C:\WINDOWS\system32\drivers\mfehidk.sys
07:41:50:942 2600 mferkdet (ef04236d1a4f9f672b5258de83e2ee35) C:\WINDOWS\system32\drivers\mferkdet.sys
07:41:51:177 2600 mfetdik (d5a4b1ae4958ccfc66c1d17c1f42ba08) C:\WINDOWS\system32\drivers\mfetdik.sys
07:41:51:302 2600 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
07:41:51:348 2600 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
07:41:51:380 2600 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:41:51:442 2600 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
07:41:51:473 2600 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:41:51:536 2600 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:41:51:739 2600 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
07:41:51:755 2600 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:41:51:833 2600 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:41:51:864 2600 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
07:41:51:973 2600 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:41:52:005 2600 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
07:41:52:020 2600 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
07:41:52:098 2600 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:41:52:145 2600 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:41:52:161 2600 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:41:52:177 2600 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
07:41:52:192 2600 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
07:41:52:223 2600 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
07:41:52:270 2600 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
07:41:52:302 2600 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
07:41:52:333 2600 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
07:41:52:411 2600 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
07:41:52:458 2600 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:41:52:505 2600 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:41:52:536 2600 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
07:41:52:598 2600 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
07:41:52:614 2600 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
07:41:52:677 2600 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
07:41:52:692 2600 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
07:41:52:723 2600 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
07:41:52:802 2600 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
07:41:52:911 2600 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
07:41:53:052 2600 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:41:53:083 2600 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:41:53:177 2600 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
07:41:53:348 2600 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:41:53:380 2600 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:41:53:395 2600 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:41:53:442 2600 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
07:41:53:489 2600 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:41:53:536 2600 RDPCDD (5713f68de732a2fc23cf6afd5daa0a53) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:41:53:536 2600 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 5713f68de732a2fc23cf6afd5daa0a53, Fake md5: 4912d5b403614ce99c28420f75353332
07:41:53:536 2600 File "C:\WINDOWS\system32\DRIVERS\RDPCDD.sys" infected by TDSS rootkit ... 07:41:55:161 2600 Backup copy found, using it..
07:41:55:333 2600 will be cured on next reboot
07:41:55:442 2600 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
07:41:55:567 2600 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
07:41:55:645 2600 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINDOWS\system32\DRIVERS\RT61.sys
07:41:55:848 2600 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:41:55:911 2600 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
07:41:55:927 2600 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
07:41:55:942 2600 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
07:41:56:005 2600 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
07:41:56:036 2600 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
07:41:56:098 2600 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
07:41:56:208 2600 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
07:41:56:223 2600 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
07:41:56:411 2600 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
07:41:56:489 2600 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:41:56:552 2600 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
07:41:56:583 2600 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
07:41:56:645 2600 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
07:41:56:723 2600 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
07:41:56:802 2600 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
07:41:56:927 2600 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:41:56:973 2600 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:41:57:020 2600 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:41:57:067 2600 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
07:41:57:098 2600 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
07:41:57:114 2600 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:41:57:161 2600 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:41:57:177 2600 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
07:41:57:208 2600 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
07:41:57:286 2600 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:41:57:395 2600 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
07:41:57:583 2600 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
07:41:57:723 2600 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:41:57:817 2600 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:41:57:817 2600 Reboot required for cure complete..
07:41:58:458 2600 Cure on reboot scheduled successfully
07:41:58:458 2600
07:41:58:458 2600 Completed
07:41:58:458 2600
07:41:58:458 2600 Results:
07:41:58:458 2600 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
07:41:58:458 2600 File objects infected / cured / cured on reboot: 1 / 0 / 1
07:41:58:458 2600
07:41:58:489 2600 KLMD(ARK) unloaded successfully

shelf life

2010-06-29, 23:36

It removed a file. How is the redirection problem now? Better?

howiem

2010-06-29, 23:59

I was waiting to hear from you before I actually used any browser for any amount of time.

I thought a couple of scans wouldn't hurt so I ran some.

SS&D - updated, came out clean.
MWARE BYTES -updated, came out clean.

Mcafee--- "found" viruses in c:\combofix
** It is still running

Viruses detected in pev.exe, and several other files pev.* detected as artemis!f1fb (maybe a false positive), in any case it McAfee deleted several files in c:\combofix

I know in some spyware circles I know Mcafee is not thought of highly but its what I have paid for so why not try it. I am wondering if the virus might account for the strange behaviour of combofix (a very short log, and rebooting before the PC before it even really started).

In any case once it finished I will try using the browser for a while and let you know about redirects.

Thank you.

Howie

shelf life

2010-06-30, 03:32

Go a head and take your browser out for a 'ride'.

Mcafee is flagging some of the tools that Combofix uses. It may identify them as 'hacking or risky' files. You can ignore anything Mcafee finds in C:/Combofix.
Sometimes combofix might hiccup for lack of a better word. Cant say why it really misfired.

howiem

2010-06-30, 03:38

My browser doesnt redirect anymore....

AWESOME!!!! I think I am cured.

Just cause, I posted below the Mcafee log from today.
(maybe it will come in handy for someone else).\
I had it configured for Artemis (a deeper look at some files)... in Mcafee lingo.

Thank you thank you thank you.

** I pledge to send a donation, scouts honour ****

29/06/2010 5:08:19 PM Engine version = 5400.1158
29/06/2010 5:08:19 PM AntiVirus DAT version = 6028.0
29/06/2010 5:08:19 PM Number of detection signatures in EXTRA.DAT = None
29/06/2010 5:08:19 PM Names of detection signatures in EXTRA.DAT = None
29/06/2010 5:08:06 PM Scan Started M\H Full Scan
29/06/2010 5:09:57 PM Deleted H ODS(Full Scan) c:\ComboFix\PEV.cfxxe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:09:57 PM Deleted H ODS(Full Scan) c:\ComboFix\pev.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudMalwareDefense.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudMalwareDefense1.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudMalwareDefense2.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudPaladinAntivirus.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudPaladinAntivirus1.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudPaladinAntivirus2.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard1.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard10.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard11.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard12.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard13.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard2.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard3.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard4.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard5.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard6.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard7.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard8.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard9.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager1.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager2.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSystem.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc1.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc2.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc3.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc4.zip
29/06/2010 5:10:22 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadpc5.zip
29/06/2010 5:10:23 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip
29/06/2010 5:10:23 PM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip
29/06/2010 5:13:37 PM Deleted H ODS(Full Scan) c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I15CV26D\JnteZkuz[1].phpZxHfddb0d4fV0100f070006R4e1be7cf102Tb1c8bddc201l1009325\i.dat DNSChanger.bu (Trojan)
29/06/2010 5:17:33 PM Deleted (Clean failed) H ODS(Full Scan) c:\Documents and Settings\Ma\My Documents\Downloads\ComboFix.exe\IEXPLORE.EXE Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:38:45 PM Deleted (Clean failed) H ODS(Full Scan) c:\System Volume Information\_restore{0D1B2A56-A1E5-452C-AB84-BA9B3E289B07}\RP1060\A0166225.exe\IEXPLORE.EXE Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:38:47 PM Deleted H ODS(Full Scan) c:\System Volume Information\_restore{0D1B2A56-A1E5-452C-AB84-BA9B3E289B07}\RP1060\A0166287.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:38:51 PM Deleted H ODS(Full Scan) c:\System Volume Information\_restore{0D1B2A56-A1E5-452C-AB84-BA9B3E289B07}\RP1060\A0166357.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:38:53 PM Deleted H ODS(Full Scan) c:\System Volume Information\_restore{0D1B2A56-A1E5-452C-AB84-BA9B3E289B07}\RP1060\A0166388.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:38:58 PM Deleted H ODS(Full Scan) c:\System Volume Information\_restore{0D1B2A56-A1E5-452C-AB84-BA9B3E289B07}\RP1062\A0170277.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 5:39:57 PM Deleted H ODS(Full Scan) c:\WINDOWS\PEV.exe Artemis!F1FBA6185A6A (Trojan)
29/06/2010 6:06:48 PM Scan Summary M\H Scan Summary
29/06/2010 6:06:48 PM Scan Summary M\H Processes scanned : 53
29/06/2010 6:06:48 PM Scan Summary M\H Processes detected : 0
29/06/2010 6:06:48 PM Scan Summary M\H Processes cleaned : 0
29/06/2010 6:06:48 PM Scan Summary M\H Boot sectors scanned : 3
29/06/2010 6:06:48 PM Scan Summary M\H Boot sectors detected: 0
29/06/2010 6:06:48 PM Scan Summary M\H Boot sectors cleaned : 0
29/06/2010 6:06:48 PM Scan Summary M\H Files scanned : 87301
29/06/2010 6:06:48 PM Scan Summary M\H Files with detections: 10
29/06/2010 6:06:48 PM Scan Summary M\H File detections : 10
29/06/2010 6:06:48 PM Scan Summary M\H Files cleaned : 0
29/06/2010 6:06:48 PM Scan Summary M\H Files deleted : 10
29/06/2010 6:06:48 PM Scan Summary M\H Files not scanned : 69
29/06/2010 6:06:48 PM Scan Summary M\H Run time : 0:58:42
29/06/2010 6:06:48 PM Scan Complete M\H Full Scan

shelf life

2010-07-01, 03:52

hi,

ok good. thanks for the info. You can delete the Gmer icon and TDSSkiller from your desktop. You can uninstall combofix like this:

start>run and type in
combofix /u
click ok or enter
note the space after the x and before the /

You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last if all is good, some tips for you;

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there current version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free.*

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Can you really trust the source of the file? Do you really need another malware source?

Longer version in links below.

Happy Safe Surfing.