Trogan/virus

**ken545** · 2012-01-19, 23:23

Go ahead and run Combofix again, but I am leaning towards your Master Boot Record being infected, lets see if CF will calm things down, run it this time with this script, I may be getting ahead of myself here but since your system is in such bad shape we need to forge ahead.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::

Code:

FCopy::
C:\WINDOWS\system32\dllcache\spoolsv.exe | C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\dllcache\wscntfy.exe | C:\WINDOWS\System32\wscntfy.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

**bluefishbeagle** · 2012-01-19, 23:28

Ran combo fix again regained conrol typing this from infected computer;

Here's the system look file:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:19 on 19/01/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "spoolsv.exe "
No files found.

Searching for "wscntfy.exe"
No files found.

-= EOF =-

Here's a new ComboFix log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 15:53:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Desktop\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check
c:\documents and settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\~O6tIpy5tsgasDAr
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA
c:\documents and settings\All Users\Application Data\O6tIpy5tsgasDA.exe
c:\documents and settings\All Users\Application Data\QimMTimICgL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\wbem\snmp
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\system32\xircom
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\windows\srchasst
2012-01-19 18:39 . 2012-01-19 18:39 -------- d--h--w- c:\program files\microsoft frontpage
2012-01-12 03:19 . 2012-01-12 03:19 -------- d--h--w- c:\program files\ERUNT
2012-01-12 00:54 . 2012-01-19 14:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Norton
2012-01-10 04:10 . 2012-01-10 04:10 -------- d--h--w- c:\windows\Options
2012-01-10 03:07 . 2012-01-12 00:41 -------- d--h--w- c:\program files\CheckPoint
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13 . 2012-01-10 01:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13 . 2011-12-10 21:24 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13 . 2012-01-19 19:14 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 18:17 . 2012-01-07 18:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-07 03:00 . 2012-01-10 02:27 -------- d--h--w- c:\windows\Sun
2012-01-04 01:11 . 2012-01-04 16:52 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-01-04 01:06 . 2012-01-04 01:06 -------- d--h--w- c:\program files\Common Files\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\program files\Apple Software Update
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple
2012-01-04 01:05 . 2012-01-04 01:05 -------- d--h--w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14 . 2012-01-04 00:14 -------- d--h--w- c:\documents and settings\Administrator\Application Data\vlc
2012-01-04 00:05 . 2012-01-04 00:22 -------- d--h--w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 23:37 . 2011-06-02 15:24 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29 . 2010-12-31 12:14 1868544 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:19 . 2011-04-10 17:19 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:19 . 2010-12-20 22:58 919552 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:19 . 2010-12-20 22:58 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-11-01 16:05 . 2010-07-16 11:04 1289216 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-12-09 13:29 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22 . 2010-12-10 01:39 2069376 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34 . 2010-12-09 12:43 2192768 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01 . 2010-12-20 11:29 385024 ---ha-w- c:\windows\system32\html.iec
2011-10-24 20:29 . 2011-10-24 20:29 94208 ---ha-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ---ha-w- c:\windows\system32\QuickTime.qts
2011-11-24 02:12 . 2011-04-12 22:46 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-09 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-05-29 114688]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 1037192]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Drag'n Drop CD"="c:\program files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 802816]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2567272]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ZoneAlarm Installer"="c:\program files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 87751]
"QimMTimICgL.exe"="c:\documents and settings\All Users\Application Data\QimMTimICgL.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
.
Supplementary scan did not complete!
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-19 16:15:42
ComboFix-quarantined-files.txt 2012-01-19 22:15
.
Pre-Run: 31,502,401,536 bytes free
Post-Run: 31,717,122,048 bytes free
.
- - End Of File - - 3B44C7210C318E00AB7566C65A499000

**bluefishbeagle** · 2012-01-19, 23:34

Had to run combofix per the first method to get control again: Now I'm going to re run it per the CFScript

**bluefishbeagle** · 2012-01-19, 23:57

Here is the new ComboFix running the CFScript as you requested:

ComboFix 12-01-19.01 - Administrator 01/19/2012 16:39:15.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.510 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))

2012-01-19 18:39:47 . 2012-01-19 18:39:47 -------- d-----w- C:\WINDOWS\system32\wbem\snmp
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\system32\xircom
2012-01-19 18:39:45 . 2012-01-19 18:39:45 -------- d-----w- C:\WINDOWS\srchasst
2012-01-19 18:39:41 . 2012-01-19 18:39:41 -------- d-----w- C:\Program Files\microsoft frontpage
2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d-----w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d-----w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d-----w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-19 19:14:22 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d-----w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d-----w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d-----w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d-----w- C:\Program Files\VideoLAN
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"ZoneAlarm Installer"="C:\Program Files\CheckPoint\Install\Launcher.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]
"QimMTimICgL.exe"="C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]

------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 16:51:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8653E2C6
user & kernel MBR OK

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1708537768-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,60,6b,99,02,8d,f6,41,ba,7b,09,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,80,ea,70,2e,77,33,43,aa,d4,05,\

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'lsass.exe'(624)
C:\WINDOWS\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1008)
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WPDShServiceObj.dll
C:\WINDOWS\system32\PortableDeviceTypes.dll
C:\WINDOWS\system32\PortableDeviceApi.dll

Completion time: 2012-01-19 16:56:03
ComboFix-quarantined-files.txt 2012-01-19 22:55:55
ComboFix2.txt 2012-01-19 22:15:47

Pre-Run: 31,727,501,312 bytes free
Post-Run: 31,728,074,752 bytes free

- - End Of File - - 808F38E2297609360DB5C8FB44571F01

**ken545** · 2012-01-20, 00:22

Lets check your Master Boot Record

Download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

**bluefishbeagle** · 2012-01-20, 00:41

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x867CB000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF7357000 sptd.sys
0xF7987000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF733F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7311000 ACPI.sys
0xF7300000 pci.sys
0xF7487000 ohci1394.sys
0xF7497000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF74A7000 isapnp.sys
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF72E2000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF72C3000 ftdisk.sys
0xF798B000 dmload.sys
0xF729D000 dmio.sys
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF7285000 atapi.sys
0xF726F000 Si3112.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF724F000 fltMgr.sys
0xF723D000 sr.sys
0xF78A7000 PxHelp20.sys
0xF7226000 KSecDD.sys
0xF7199000 Ntfs.sys
0xF716C000 NDIS.sys
0xF7152000 Mup.sys
0xF6C32000 kl1.sys
0xF7717000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF7677000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF64A2000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF648E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF646A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF644A000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF63A5000 \SystemRoot\system32\DRIVERS\w70n51.sys
0xF7687000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7697000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7943000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\smcirda.sys
0xF7947000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF6391000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF636E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF633C000 \SystemRoot\system32\drivers\STAC97.sys
0xF6318000 \SystemRoot\system32\drivers\portcls.sys
0xF76F7000 \SystemRoot\system32\drivers\drmk.sys
0xF61FD000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF77D7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7AB8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF7507000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7517000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7527000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF61D4000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7537000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6104000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7547000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A15000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF607E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7973000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7567000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEDFC2000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEDFA5000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF7587000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A1F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEDEDA000 \SystemRoot\system32\DRIVERS\klif.sys
0xF64C0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AEE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A21000 \SystemRoot\System32\Drivers\Beep.SYS
0xF780F000 \SystemRoot\System32\drivers\vga.sys
0xF7A23000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7817000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF64BC000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDE7F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDE26000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDDFE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDD6E000 \SystemRoot\System32\vsdatant.sys
0xF793F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEDD48000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDD26000 \SystemRoot\System32\drivers\afd.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDCFB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDC8B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75B7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7607000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEDC4B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A29000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF605A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF782F000 \SystemRoot\System32\watchdog.sys
0xBE000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B74000 \SystemRoot\System32\drivers\dxgthk.sys
0xBE020000 \SystemRoot\System32\ialmdnt5.dll
0xBE012000 \SystemRoot\System32\ialmrnt5.dll
0xBE042000 \SystemRoot\System32\ialmdev5.DLL
0xBE072000 \SystemRoot\System32\ialmdd5.DLL
0xF7617000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7627000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEC679000 \SystemRoot\system32\DRIVERS\irda.sys
0xEC85F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC394000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC707000 \SystemRoot\system32\drivers\sysaudio.sys
0xEC24A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79F7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEC405000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xEC1A2000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBB21000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB827000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF79D1000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF7867000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0xEB39C000
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 21):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\smss.exe
532 csrss.exe
564 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1296 C:\WINDOWS\system32\svchost.exe
1504 svchost.exe
1672 svchost.exe
1552 svchost.exe
1532 C:\Program Files\Common Files\Motive\McciCMService.exe
272 C:\WINDOWS\system32\svchost.exe
1080 C:\WINDOWS\system32\hkcmd.exe
676 C:\WINDOWS\AGRSMMSG.exe
1860 alg.exe
2836 C:\WINDOWS\system32\svchost.exe
1008 C:\WINDOWS\explorer.exe
2124 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23EA-40, Rev: 00K3A0A6

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

**ken545** · 2012-01-20, 01:16

See if this program will run and post the log please

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

**bluefishbeagle** · 2012-01-20, 01:33

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:30:56
-----------------------------
18:30:56.230 OS Version: Windows 5.1.2600 Service Pack 3
18:30:56.230 Number of processors: 1 586 0x905
18:30:56.230 ComputerName: HASSELCOMPUTER UserName: Administrator
18:30:57.041 Initialize success
18:31:20.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:31:20.635 Disk 0 Vendor: HITACHI_DK23EA-40 00K3A0A6 Size: 38154MB BusType: 3
18:31:20.635 Device \Driver\atapi -> DriverStartIo 8653e2c6
18:31:20.655 Disk 0 MBR read successfully
18:31:20.655 Disk 0 MBR scan
18:31:20.655 Disk 0 TDL4@MBR code has been found
18:31:20.655 Disk 0 Windows XP default MBR code found via API
18:31:20.665 Disk 0 MBR hidden
18:31:20.665 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38146 MB offset 63
18:31:20.665 Disk 0 MBR [TDL4] **ROOTKIT**
18:31:20.665 Disk 0 trace - called modules:
18:31:20.665 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8653e49f]<<
18:31:20.675 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86942ab8]
18:31:20.675 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000077[0x869f4f18]
18:31:20.995 5 ACPI.sys[f7317620] -> nt!IofCallDriver -> [0x86989940]
18:31:20.995 \Driver\atapi[0x86662248] -> IRP_MJ_CREATE -> 0x8653e49f
18:31:20.995 Scan finished successfully
18:31:39.121 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:31:39.131 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

**ken545** · 2012-01-20, 01:39

What I need you to do is to zip this file and attach it in your next reply, I am going to have one of the MBR experts check it . It was dumped on your desktop when you ran aswMBR

Desktop\MBR.dat <--This file

Then do this

Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

Save the log as before and post in your next reply

**bluefishbeagle** · 2012-01-20, 05:48

Hard to move locations and then reboot. Ran combofix again. have regained control of computer, I shouldn't have to move again. heres the zip file.

Thread: Trogan/virus

Thread Tools

Display

Posting Permissions