Mfeed.in Redirect Returns

Done and Finished

Ken545 - Thanks for all your help. My system is saved from the dreaded Format and Reinstall [Microsoft Tech support's answer to everything]. I'll be safer from now on.
Dinosaur58
 
Disregard previous

After reboot from OTC I had my anitivirus protection turned off for Eset removal process. Failed to restart it [duh] and surfed to: http://forums.adobe.com/thread/522601 to find out if I can disable the new startup processes that Adobe installed. After reading in the forum for about 2 minutes a pop-up appeared : allweddingworld
As usual the scripts were blocked by NoScript. This is exactly the behavior from the infection we are working on. Note: a Microsoft Malicious SRT update had downloaded and was waiting to install. I allowed the install and after reboot it said "Malicious software was detected and partially removed." It requested a full scan [in progress now] "can take up to several hours on some computers." Darn! D58
 
Last edited by a moderator:
oops

Tried to edit out the bad link [thought I had a few minutes to edit post] instead it reposted. NOTE TO ALL: DO NOT FOLLOW THE -ALLWEDDINGWORLD- LINK!!!!!
D58 P.S. Adimns - please remove 2nd post and disable/remove bad link.
 
Something must have been put back, lets get rid of this program, first see if you can find it in Add Remove Programs and uninstall it , either way run this script

Drag Combofix to the trash and grab a fresh copy

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::


Code: 
Driver::
GNUAN

File::
c:\documents and settings\administrator\local settings\Temp\GNUAN.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
 
Combofix run error?

No Combofix in add/remove. Installed new copy to desktop and tried to run script. At around stage 3 there was a windows error message [looked like a DEP message] saying 'PEV.cfxxe has encountered an error and needs to close..' I closed the message box and Combofix seemed to resume normally. Here is the log.
WWWWWWWWWWW
ComboFix 10-07-19.02 - Administrator 07/20/2010 5:57.12.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1456 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\administrator\local settings\Temp\GNUAN.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GNUAN
-------\Service_GNUAN


((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-20 11:42 . 2010-07-20 11:42 1014 ----a-w- c:\windows\system32\drivers\mgtryuwv.dat
2010-07-20 11:41 . 2010-07-20 11:41 8832 ----a-w- c:\windows\system32\drivers\RASACD.SYS
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-18 20:21 . 2010-07-18 20:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S1 stkowqfi;stkowqfi;\??\c:\windows\system32\drivers\stkowqfi.sys --> c:\windows\system32\drivers\stkowqfi.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 06:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-07-20 06:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 12:13

Pre-Run: 86,872,752,128 bytes free
Post-Run: 86,978,068,480 bytes free

- - End Of File - - 14B6EDBBB57A16A624A4D9129486DED3
WWWWWWWWWWWWWWWW
I found 'ComboFix-quarantined-files.txt'in Qoobox. It mentions GNUAN.
WWWWWWWWWWWWWWWW
2010-07-20 12:12:29 . 2010-07-20 12:12:30 922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 2,686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_GNUAN.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GNUAN.reg.dat
2010-07-20 12:06:05 . 2010-07-20 12:06:06 4,931 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 11:57:28 . 2010-07-20 11:57:30 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-20 11:55:53 . 2010-07-20 11:55:54 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
WWWWWWWWWWWWW
Probably just saying what it looked for?
D58
 
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::


Code: 
Driver::
stkowqfi

File::
c:\windows\system32\drivers\mgtryuwv.dat
c:\windows\system32\drivers\RASACD.SYS
c:\windows\system32\drivers\stkowqfi.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply






You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\6bg39okp.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en
 
Last edited:
No combofix log

Combofix runs same as last time, but near end of run desktop blanks out leaving only combofix window. After reboot system runs disk check [no errors found], then starts normally, but no combofix window and no combofix log. Also new folder appears on C: drive named combofix seeming to contain complete system mirror [including a mirror copy of new combofix folder= recursion]. Did not try to delete the new mirror folder. What now? D58
 
file scan results

Had Virustotal ReScan file:
WWWWWWWWWWWWWWWWWW
Antivirus Version Last Update Result
AhnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 -
Avast5 5.0.332.0 2010.07.20 -
AVG 9.0.0.836 2010.07.20 -
BitDefender 7.2 2010.07.20 -
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5486 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 -
eSafe 7.0.17.0 2010.07.19 Win32.TrojanHorse
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 -
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 -
Ikarus T3.1.1.84.0 2010.07.20 -
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 -
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 -
Panda 10.0.2.7 2010.07.19 -
PCTools 7.0.3.5 2010.07.20 -
Prevx 3.0 2010.07.20 -
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6606 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 -
TheHacker 6.5.2.1.320 2010.07.19 -
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
WWWWWWWWWWWWWWWWWW
Only one hit. D58
 
Hi,

Sorry for the delay but I have been away and off line all day.

C:\ComboFix.txt <-- Have you tried going here and looking for the last log ?


How are things running now ?
 
Continued

Delay no problem, had to sleep myself. No Combofix.txt on C: . No pop-ups recently, and no rogue services. Strange Combofix mirror folder persists after reboot. Should I try to delete it? D58
 
Mystery Folder

I can't copy and paste folders to the website, and maximum file size for zipped is 976kb. When I check the properties of the folder the system reports that it contains 1 Folder with 264 files in it and a total of 20.4mb. When I open it the system shows a full mirror of the system: C:,D:,E:,and A: drives, Documents Folder, Control Panel, etc. The folder uses the same Icon as My Computer. If I browse to files inside it kicks me back out to the correct folder, so I can't see what's actually in it. D58
 
Found something

Just for hoots I tried creating a zip archive with the mystery folder as contents, and then opening the resulting file. It looks like the unpacked contents of Combofix.exe, and included Combofix.txt [see below]. Still doesn't explain why the system sees it as a mirror.
WWWWWWWWWWWW
ComboFix 10-07-19.04 - Administrator 07/20/2010 7:32:06.13.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1469 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\mgtryuwv.dat"
"c:\windows\system32\drivers\RASACD.SYS"
"c:\windows\system32\drivers\stkowqfi.sys"
.
WWWWWWWWWWWWWWWWWWW
That's all there was in Combofix.txt Totla Archive size = 4.5mb D58
 
It appears you may still have some issues we need to look at, this is what I need you to do, I need you to run Combofix, no script, just double click on it to run and post the log please.


Then I need you to run GMER, if it gives you issues than try it in Safemode


gmer_zip.gif

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode



I need to see the new CF log and the GMER log please
 
COmbofix + Gmer Logs

Here are the logs. The Mystery Folder disappeared when Combofix ran.
WWWWWWWWWWWWWW
ComboFix 10-07-20.03 - Administrator 07/21/2010 11:35:19.14.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1398 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\RASACD.SYS
.
---- Previous Run -------
.
c:\windows\system32\drivers\mgtryuwv.dat
c:\windows\system32\drivers\RASACD.SYS

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_stkowqfi


((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-21 11:13 . 2010-07-21 11:13 4664667 ----a-w- C:\ComboFix.zip
2010-07-20 11:41 . 2004-08-04 07:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-20_12.10.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-21 18:02 . 2010-07-21 18:02 16384 c:\windows\temp\Perflib_Perfdata_6b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 12:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-07-21 12:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 18:06

Pre-Run: 86,892,380,160 bytes free
Post-Run: 86,853,943,296 bytes free

- - End Of File - - 5482D7EE4CD2230D509817088F089194
WWWWWWWWWWWWWWWWWWWW
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-21 12:38:41
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.COM\LOCALS~1\Temp\pgldqpow.sys


---- System - GMER 1.0.15 ----

SSDT B8F5F226 ZwCreateKey
SSDT B8F5F21C ZwCreateThread
SSDT B8F5F22B ZwDeleteKey
SSDT B8F5F235 ZwDeleteValueKey
SSDT B8F5F23A ZwLoadKey
SSDT B8F5F208 ZwOpenProcess
SSDT B8F5F20D ZwOpenThread
SSDT B8F5F244 ZwReplaceKey
SSDT B8F5F23F ZwRestoreKey
SSDT B8F5F230 ZwSetValueKey
SSDT B8F5F217 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95FF360, 0x307AC7, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\aiptektp.sys entry point in "init" section [0xBA41C480]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\FIREFOX.EXE[2744] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\FIREFOX.EXE (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}@abnllihdbjplkgkdpkebpdfihejcgiaodb 0x61 0x62 0x6C 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}@bbnllihdbjplkgkdpkfbdachibjdfkjonkac 0x61 0x62 0x67 0x67 ...

---- EOF - GMER 1.0.15 ----
Thanks for your persistence with this problem. D58
 
Not a problem, some systems are easier to clean and some are not.

Thanks for the GMER log, I am looking it over now


C:\Qoobox\ComboFix-quarantined-files.txt <--Open this and post the log please
 
Quarantined Files Log

Here's the log. Gotta sack out, I'll check back once before work. D58
WWWWWWWWWWWWWW
2010-07-20 13:34:57 . 2010-07-20 13:34:58 664 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_stkowqfi.reg.dat
2010-07-20 12:12:29 . 2010-07-20 12:12:30 922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 2,686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_GNUAN.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GNUAN.reg.dat
2010-07-20 12:06:05 . 2010-07-21 17:59:16 4,931 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 11:57:28 . 2010-07-20 13:32:02 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-20 11:55:53 . 2010-07-21 17:33:34 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-07-20 11:42:37 . 2010-07-20 11:42:38 1,014 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mgtryuwv.dat.vir
2010-07-20 11:41:07 . 2010-07-20 11:41:08 8,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\RASACD.SYS.vir
 
You must log in or register to reply here.
Back
Top