also @ TechSpot: Metro: Last Light Performance, Benchmarked

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Not acquiring network address

Discussion in 'Virus and Malware Removal' started by CadDog, May 3, 2012.

Post New Reply

Page 3 of 4

CadDog Newcomer, in training Posts: 51

Looks like this may take a little while...

ComboFix has been doing Stage_3 for the pass 20 minutes...
The hour glass is popping up so I know it's still working...
Wow... just moved to Stage_4...
I best walk away and stop watching...
I will post again once ComboFix has done it's work...

Thanks

CadDog, May 5, 2012

#41
CadDog Newcomer, in training Posts: 51

OK I'm a little worried...

It just finish Stage_4...

How many Stages does ComboFix go through...?

I'm only asking because at the top of the AutoScan screen
it states... "that it would typically take 10 minutes but sometime
easily double"... 10x2=20 but it is way longer then that at Stage_5...

CadDog, May 5, 2012

#42
Broni Malware Annihilator Posts: 39,324 +175

There are 50 steps.
Be patient.

Broni, May 5, 2012

#43
CadDog Newcomer, in training Posts: 51

It just came back and
it said that it needed to do a big search
and it may take a while...

I said OK...

Here are a few file it listed as be attempting to restore:
>>> beep.sys
>>> taskmage.exe
>>> msgsve.dll
>>> agp440.sys
>>> asyncmac.sys
>>> comres.dll

This is where it at now...

Boy...!!! I'm sure glade I found this site.
I would of been able to do this by myself...

CadDog, May 5, 2012

#44
Broni Malware Annihilator Posts: 39,324 +175

Be patient...

Broni, May 5, 2012

#45

CadDog Newcomer, in training Posts: 51

The laptop just blue screened with this message:
==========================
Technical information:

*** STOP: 0x0000008E (0xC0000005.oxA7DDD5Ao,0xB9444A2C,0x00000000)
*** aswSMX,SYS - Address A7DDD5AO base at A7DBD000, DateStamp 4f56a5e5

I needed to press the off button to continue...

I Restarted the laptop at 3:14pm

Stop aVast to let ComboFix continue...

Here is the ComboFix Report:
=====================

ComboFix 12-05-05.06 - CadDog 05/05/2012 11:15:26.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2657 [GMT -7:00]
Running from: f:\! 01 a problem\5 steps\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\a016mdfl.dll
c:\windows\system32\ARSVC.dll
c:\windows\system32\Atmuni.dll
c:\windows\system32\ghoststartservice.dll
c:\windows\system32\kbdhid.dll
c:\windows\system32\logonsvcid.dll
c:\windows\system32\pivotmou.dll
c:\windows\system32\s616mdfl.dll
c:\windows\system32\tifsfilter.dll
c:\windows\system32\tnidriver.dll
.
c:\windows\system32\drivers\beep.sys . . . is infected!!
.
c:\windows\system32\taskmgr.exe . . . is infected!!
.
c:\windows\system32\msgsvc.dll . . . is infected!!
.
c:\windows\system32\vssvc.exe . . . is infected!!
.
c:\windows\system32\drivers\AGP440.sys . . . is infected!!
.
c:\windows\system32\drivers\asyncmac.sys . . . is infected!!
.
c:\windows\system32\comres.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMDK7
-------\Legacy_MPFIREWL
-------\Legacy_MSSQL$MSSMLBIZ
-------\Legacy_OLCAMSRV
-------\Legacy_OMNIDRV
-------\Legacy_PRISMXL
-------\Legacy_SRESCAN
-------\Legacy_SYMPROXYSVC
-------\Legacy_TCSD_WIN32.EXE
-------\Legacy_Z800MGMT
-------\Service_amdk7
-------\Service_mpfirewl
-------\Service_MSSQL$MSSMLBIZ
-------\Service_olcamsrv
-------\Service_omnidrv
-------\Service_prismxl
-------\Service_srescan
-------\Service_symproxysvc
-------\Service_tcsd_win32.exe
-------\Service_z800mgmt
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 22:15 . 2011-04-15 03:164766----a-w-c:\windows\system32\PerfStringBackup.TMP
2012-04-04 22:56 . 2011-09-06 02:1022344----a-w-c:\windows\system32\drivers\mbam.sys
2012-04-04 20:03 . 2002-09-03 16:27138496----a-w-c:\windows\system32\drivers\afd.sys
2012-04-01 17:57 . 2012-04-01 17:57418464----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-04-01 17:57 . 2011-05-16 00:3270304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 22:55 . 2012-02-25 22:5573728----a-w-c:\windows\system32\javacpl.cpl
2012-02-25 22:55 . 2010-04-29 01:27472808----a-w-c:\windows\system32\deployJava1.dll
2011-02-19 22:13 . 2011-02-19 22:138768200----a-w-c:\program files\Common Files\lpuninstall.exe
2012-03-27 05:46 . 2011-04-17 15:4097208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15123536----a-w-c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-01-14 135168]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-01-14 131072]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-01-14 163840]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ultra Hal Text-to-Speech Reader Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ultra Hal Text-to-Speech Reader Startup.lnk
backup=c:\windows\pss\Ultra Hal Text-to-Speech Reader Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^NeoPlanet.lnk]
path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\NeoPlanet.lnk
backup=c:\windows\pss\NeoPlanet.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^Seagate 2GE6D6WE Product Registration.lnk]
path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\Seagate 2GE6D6WE Product Registration.lnk
backup=c:\windows\pss\Seagate 2GE6D6WE Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2010-10-27 09:001015808----a-w-c:\progra~1\Ares\Ares.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 23:08421160----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 22:56462408----a-w-c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 18:24197928----a-w-c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"wuauserv"=2 (0x2)
"SamSs"=2 (0x2)
"wscsvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"QuestBrowser Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"McShield"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mfevtp"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McODS"=3 (0x3)
"McProxy"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McNASvc"=2 (0x2)
"mfefire"=2 (0x2)
"McAWFwk"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/4/2012 6:32 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/4/2012 6:32 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2012 6:32 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 5:51 PM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2011 7:10 PM 22344]
S0 27754183;27754183;c:\windows\system32\drivers\61567167.sys --> c:\windows\system32\drivers\61567167.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/1/2012 10:57 AM 253600]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
deventagent
cusrvc
BrPar
amdk8
btwhid
dphost
qbposdbextservices
avupdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 17:57]
.
2012-05-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-04-17 02:26]
.
2012-05-05 c:\windows\Tasks\User_Feed_Synchronization-{94AE8699-29C6-4632-8C9D-74C2EAB4B4EE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
IE: Free YouTube to MP3 Converter - c:\documents and settings\CadDog\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\CadDog\Application Data\Mozilla\Firefox\Profiles\4uvg2s5g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1958367476-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\locator.exe
c:\windows\stsystra.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\system32\dlcccoms.exe
.
**************************************************************************
.
Completion time: 2012-05-05 15:18:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-05 22:18
ComboFix2.txt 2012-05-03 01:23
ComboFix3.txt 2012-05-03 00:11
.
Pre-Run: 46,052,585,472 bytes free
Post-Run: 46,292,201,472 bytes free
.
- - End Of File - - 26A975AA65A986796AE13D1377B9DB4A

CadDog, May 5, 2012

#46

Broni Malware Annihilator Posts: 39,324 +175
Combofix reported:

Overlay aborted ... Please run ComboFix once more

but let's see if we can use what we have....

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Use the following settings:

Click the NONE button

Under Custom Scans/Fixes paste:

Code:

/md5start comres.dll asyncmac.sys AGP440.sys vssvc.exe msgsvc.dll taskmgr.exe beep.sys /md5stop

Finally hit Run Scan and wait for the log to open.

Please post the content of the log into your next reply.

NOTE.
Be aware that from what I can see we may be facing Windows reinstallation due to rather serious infection of system files.
Broni, May 5, 2012

#47
CadDog Newcomer, in training Posts: 51

Sorry...
Do you want me to run combofix again or OTL...???

I just want to be sure.

"NOTE.
Be aware that from what I can see we may be facing Windows reinstallation due to rather serious infection of system files."

That may be a problem because I'm not sure where or if I still have my window install CD...

CadDog, May 5, 2012

#48
Broni Malware Annihilator Posts: 39,324 +175

OTL

Broni, May 5, 2012

#49
CadDog Newcomer, in training Posts: 51

OK

Here is the OTL report:
================
OTL logfile created on: 5/5/2012 3:44:59 PM - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = F:\! 01 A Problem\5 steps
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 83.01% Memory free
4.32 Gb Paging File | 4.00 Gb Available in Paging File | 92.46% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 43.14 Gb Free Space | 57.88% Space Free | Partition Type: NTFS
Drive F: | 7.63 Gb Total Space | 5.06 Gb Free Space | 66.31% Space Free | Partition Type: FAT32

Computer Name: DJSYSTEM02 | User Name: CadDog | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

< End of report >

CadDog, May 5, 2012

#50
Broni Malware Annihilator Posts: 39,324 +175

You didn't paste my script.

Broni, May 5, 2012

#51
CadDog Newcomer, in training Posts: 51

Oops....
Sorry... Trying again...

Here is the new report:
=================

OTL logfile created on: 5/5/2012 3:54:18 PM - Run 1
OTL by OldTimer - Version 3.2.42.2 Folder = F:\! 01 A Problem\5 steps
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 82.97% Memory free
4.32 Gb Paging File | 3.99 Gb Available in Paging File | 92.36% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 43.14 Gb Free Space | 57.88% Space Free | Partition Type: NTFS
Drive F: | 7.63 Gb Total Space | 5.06 Gb Free Space | 66.31% Space Free | Partition Type: FAT32

Computer Name: DJSYSTEM02 | User Name: CadDog | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: AGP440.SYS >
[2007/04/11 18:24:54 | 022,245,337 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/08/01 10:30:19 | 023,852,652 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2007/04/11 18:24:54 | 022,245,337 | -H-- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2010/08/01 10:30:19 | 023,852,652 | -H-- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:41 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ASYNCMAC.SYS >
[2004/08/03 23:05:03 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=02000ABF34AF4C218C35D257024807D6 -- C:\WINDOWS\$NtServicePackUninstall$\asyncmac.sys
[2008/04/13 11:57:27 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=B153AFFAC761E7F5FCFA822B9C4E97BC -- C:\WINDOWS\ERDNT\cache\asyncmac.sys
[2008/04/13 11:57:27 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=B153AFFAC761E7F5FCFA822B9C4E97BC -- C:\WINDOWS\ServicePackFiles\i386\asyncmac.sys
[2008/04/13 11:57:27 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=B153AFFAC761E7F5FCFA822B9C4E97BC -- C:\WINDOWS\system32\drivers\asyncmac.sys

< MD5 for: BEEP.SYS >
[2002/09/03 09:27:56 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2002/09/03 09:27:56 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2002/09/03 09:27:56 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: COMRES.DLL >
[2008/04/13 17:11:51 | 000,792,064 | ---- | M] (Microsoft Corporation) MD5=1280A158C722FA95A80FB7AEBE78FA7D -- C:\WINDOWS\ERDNT\cache\comres.dll
[2008/04/13 17:11:51 | 000,792,064 | -H-- | M] (Microsoft Corporation) MD5=1280A158C722FA95A80FB7AEBE78FA7D -- C:\WINDOWS\ServicePackFiles\i386\comres.dll
[2008/04/13 17:11:51 | 000,792,064 | ---- | M] (Microsoft Corporation) MD5=1280A158C722FA95A80FB7AEBE78FA7D -- C:\WINDOWS\system32\comres.dll
[2004/08/04 00:56:41 | 000,792,064 | -H-- | M] (Microsoft Corporation) MD5=6728270CB7DBB776ED086F5AC4C82310 -- C:\WINDOWS\$NtServicePackUninstall$\comres.dll

< MD5 for: MSGSVC.DLL >
[2004/08/04 00:56:43 | 000,033,792 | -H-- | M] (Microsoft Corporation) MD5=95FD808E4AC22ABA025A7B3EAC0375D2 -- C:\WINDOWS\$NtServicePackUninstall$\msgsvc.dll
[2008/04/13 17:11:59 | 000,033,792 | ---- | M] (Microsoft Corporation) MD5=986B1FF5814366D71E0AC5755C88F2D3 -- C:\WINDOWS\ERDNT\cache\msgsvc.dll
[2008/04/13 17:11:59 | 000,033,792 | -H-- | M] (Microsoft Corporation) MD5=986B1FF5814366D71E0AC5755C88F2D3 -- C:\WINDOWS\ServicePackFiles\i386\msgsvc.dll
[2008/04/13 17:11:59 | 000,033,792 | ---- | M] (Microsoft Corporation) MD5=986B1FF5814366D71E0AC5755C88F2D3 -- C:\WINDOWS\system32\msgsvc.dll

< MD5 for: TASKMGR.EXE >
[2008/04/13 17:12:37 | 000,135,680 | -H-- | M] (Microsoft Corporation) MD5=2CD1C3506A85B38E2D17E61ADED175C4 -- C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe
[2008/04/13 17:12:37 | 000,135,680 | -H-- | M] (Microsoft Corporation) MD5=2CD1C3506A85B38E2D17E61ADED175C4 -- C:\WINDOWS\system32\taskmgr.exe
[2004/08/04 00:56:57 | 000,135,680 | -H-- | M] (Microsoft Corporation) MD5=FC160ACE21C81837692B339D230DD4BE -- C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe

< MD5 for: VSSVC.EXE >
[2004/08/04 00:56:57 | 000,289,792 | -H-- | M] (Microsoft Corporation) MD5=3EE00364AE0FD8D604F46CBAF512838A -- C:\WINDOWS\$NtServicePackUninstall$\vssvc.exe
[2008/04/13 17:12:38 | 000,289,792 | -H-- | M] (Microsoft Corporation) MD5=7A9DB3A67C333BF0BD42E42B8596854B -- C:\WINDOWS\ServicePackFiles\i386\vssvc.exe
[2008/04/13 17:12:38 | 000,289,792 | -H-- | M] (Microsoft Corporation) MD5=7A9DB3A67C333BF0BD42E42B8596854B -- C:\WINDOWS\system32\vssvc.exe

< End of report >

CadDog, May 5, 2012

#52
Broni Malware Annihilator Posts: 39,324 +175

All those files indicated by Combofix as infected appear to be legit but they may be infected anyway.

Re-run Combofix one more time.

Broni, May 5, 2012

#53
CadDog Newcomer, in training Posts: 51

OK...
Here it goes again...

@#@$@#$ Mcfee is still around...

OK --- OK --- OK
Rootkit ditected
OK. ---
Need to reboot because of Rootkit activities.
OK---
ComboFix Running Now....

This may be a few hours again...
I will post as soon as I get the final report...

Thanks for all your help so far...

CadDog, May 5, 2012

#54
Broni Malware Annihilator Posts: 39,324 +175

You're welcome

Broni, May 5, 2012

#55
CadDog Newcomer, in training Posts: 51

OK this time the blue screen notes this:

*** STOP 0x000000c2 (0x000000007,0x00000cd4,0x04050202,0ce1af4120)

Power OFF and Power back ON after a minute...

Avast came back on after the reboot and stopped ComboFix...

Should I re-start ComboFix...?

CadDog, May 5, 2012

#56
Broni Malware Annihilator Posts: 39,324 +175

Run Combofix from safe mode.

Broni, May 5, 2012

#57
CadDog Newcomer, in training Posts: 51

I disable Avast totally for now...

and I will go to safe mode...

CadDog, May 5, 2012

#58
CadDog Newcomer, in training Posts: 51

OK here is what happen when I used Safe Mode...

Again the laptop needed to reboot because of the rootkit and
when it came back in when right to normal mode...

ComboFix continued to work it magic and finally I have report to post:

Here it is
=========

ComboFix 12-05-05.06 - CadDog 05/05/2012 18:51:20.5.2 - x86
Running from: f:\! 01 a problem\5 steps\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-04-06 to 2012-05-06 )))))))))))))))))))))))))))))))
.
.
2012-05-05 01:32 . 2012-03-06 23:0120696----a-w-c:\windows\system32\drivers\aswFsBlk.sys
2012-05-05 01:32 . 2012-03-06 23:03337880----a-w-c:\windows\system32\drivers\aswSP.sys
2012-05-05 01:32 . 2012-03-06 23:0235672----a-w-c:\windows\system32\drivers\aswRdr.sys
2012-05-05 01:32 . 2012-03-06 23:0153848----a-w-c:\windows\system32\drivers\aswTdi.sys
2012-05-05 01:32 . 2012-03-06 23:03612184----a-w-c:\windows\system32\drivers\aswSnx.sys
2012-05-05 01:32 . 2012-03-06 23:0195704----a-w-c:\windows\system32\drivers\aswmon2.sys
2012-05-05 01:32 . 2012-03-06 23:0189048----a-w-c:\windows\system32\drivers\aswmon.sys
2012-05-05 01:32 . 2012-03-06 22:5824920----a-w-c:\windows\system32\drivers\aavmker4.sys
2012-05-05 01:32 . 2012-03-06 23:1541184----a-w-c:\windows\avastSS.scr
2012-05-05 01:32 . 2012-03-06 23:15201352----a-w-c:\windows\system32\aswBoot.exe
2012-05-05 01:31 . 2012-05-05 01:31--------d-----w-c:\program files\AVAST Software
2012-05-05 01:31 . 2012-05-05 01:31--------d-----w-c:\documents and settings\All Users\Application Data\AVAST Software
2012-05-04 00:00 . 2012-05-05 17:20--------d-----w-c:\windows\system32\NtmsData
2012-05-03 23:48 . 2012-05-06 01:50--------d-----w-c:\windows\system32\CatRoot2
2012-05-02 01:15 . 2012-05-02 01:15--------d-----w-c:\program files\My Company Name
2012-05-02 00:49 . 2012-05-02 00:49--------d-----w-c:\documents and settings\CadDog\Local Settings\Application Data\Toshiba
2012-05-02 00:47 . 2012-05-02 00:47--------d-----w-c:\documents and settings\CadDog\Application Data\TOSHIBA
2012-05-02 00:46 . 2007-04-23 23:39113920----a-w-c:\windows\system32\drivers\tosrfbd.sys
2012-05-02 00:46 . 2007-04-11 03:2941856----a-w-c:\windows\system32\drivers\tosrfusb.sys
2012-05-02 00:46 . 2006-10-05 23:0773600----a-w-c:\windows\system32\drivers\Tosrfhid.sys
2012-05-02 00:46 . 2006-11-21 00:5536480----a-w-c:\windows\system32\drivers\tosrfbnp.sys
2012-05-02 00:46 . 2005-01-06 20:4218612----a-w-c:\windows\system32\drivers\tosrfnds.sys
2012-05-02 00:46 . 2006-10-11 02:3341600----a-w-c:\windows\system32\drivers\tosporte.sys
2012-05-02 00:46 . 2005-08-01 23:4564896----a-w-c:\windows\system32\drivers\tosrfcom.sys
2012-05-02 00:46 . 2012-05-02 00:46--------d-----w-c:\program files\Toshiba
2012-05-02 00:44 . 2007-01-16 17:2231744----a-w-c:\windows\system32\drivers\csrbcxp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-06 01:55 . 2011-04-15 03:164766----a-w-c:\windows\system32\PerfStringBackup.TMP
2012-04-04 22:56 . 2011-09-06 02:1022344----a-w-c:\windows\system32\drivers\mbam.sys
2012-04-04 20:03 . 2002-09-03 16:27138496----a-w-c:\windows\system32\drivers\afd.sys
2012-04-01 17:57 . 2012-04-01 17:57418464----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-04-01 17:57 . 2011-05-16 00:3270304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 22:55 . 2012-02-25 22:5573728----a-w-c:\windows\system32\javacpl.cpl
2012-02-25 22:55 . 2010-04-29 01:27472808----a-w-c:\windows\system32\deployJava1.dll
2011-02-19 22:13 . 2011-02-19 22:138768200----a-w-c:\program files\Common Files\lpuninstall.exe
2012-03-27 05:46 . 2011-04-17 15:4097208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-03_00.07.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:0251008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0259728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0242832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0243344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0261264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0262800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0261760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0261776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0253568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0263296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0236688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:0235648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:0559904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:0559904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2012-05-06 01:50 . 2012-05-06 01:5016384 c:\windows\Temp\Perflib_Perfdata_758.dat
+ 2007-04-12 00:29 . 2008-04-14 00:1218944 c:\windows\system32\dllcache\qmgrprxy.dll
+ 2010-08-01 17:14 . 2008-04-14 00:117168 c:\windows\system32\dllcache\bitsprx4.dll
+ 2007-04-12 00:29 . 2008-04-14 00:117168 c:\windows\system32\dllcache\bitsprx3.dll
+ 2007-04-12 00:29 . 2008-04-14 00:118192 c:\windows\system32\dllcache\bitsprx2.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2007-04-09 22:19 . 2012-05-03 23:59224024 c:\windows\system32\FNTCACHE.DAT
- 2007-04-09 22:19 . 2012-03-23 20:18224024 c:\windows\system32\FNTCACHE.DAT
+ 2012-05-05 01:32 . 2012-05-05 01:32219648 c:\windows\Installer\477eb1.msi
+ 2009-07-12 07:02 . 2009-07-12 07:023780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:023765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15123536----a-w-c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-01-14 135168]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-01-14 131072]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-01-14 163840]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-2-19 8768200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ultra Hal Text-to-Speech Reader Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ultra Hal Text-to-Speech Reader Startup.lnk
backup=c:\windows\pss\Ultra Hal Text-to-Speech Reader Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^NeoPlanet.lnk]
path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\NeoPlanet.lnk
backup=c:\windows\pss\NeoPlanet.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^CadDog^Start Menu^Programs^Startup^Seagate 2GE6D6WE Product Registration.lnk]
path=c:\documents and settings\CadDog\Start Menu\Programs\Startup\Seagate 2GE6D6WE Product Registration.lnk
backup=c:\windows\pss\Seagate 2GE6D6WE Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2010-10-27 09:001015808----a-w-c:\progra~1\Ares\Ares.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 23:08421160----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 22:56462408----a-w-c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 18:24197928----a-w-c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"wuauserv"=2 (0x2)
"SamSs"=2 (0x2)
"wscsvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"QuestBrowser Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"McShield"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mfevtp"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McODS"=3 (0x3)
"McProxy"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McNASvc"=2 (0x2)
"mfefire"=2 (0x2)
"McAWFwk"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/4/2012 6:32 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/4/2012 6:32 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2012 6:32 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2010 5:51 PM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2011 7:10 PM 22344]
S0 27754183;27754183;c:\windows\system32\drivers\61567167.sys --> c:\windows\system32\drivers\61567167.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/1/2012 10:57 AM 253600]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
deventagent
cusrvc
BrPar
amdk8
btwhid
dphost
qbposdbextservices
avupdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 17:57]
.
2012-05-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-04-17 02:26]
.
2012-05-06 c:\windows\Tasks\User_Feed_Synchronization-{94AE8699-29C6-4632-8C9D-74C2EAB4B4EE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
IE: Free YouTube to MP3 Converter - c:\documents and settings\CadDog\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7dpr75s8.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-05 18:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-448539723-1958367476-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1104)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-05-05 18:59:15
ComboFix-quarantined-files.txt 2012-05-06 01:59
ComboFix2.txt 2012-05-05 22:18
ComboFix3.txt 2012-05-03 01:23
ComboFix4.txt 2012-05-03 00:11
.
Pre-Run: 46,308,421,632 bytes free
Post-Run: 46,243,753,984 bytes free
.
- - End Of File - - 53FD38939B6D0CA423C87E79ABA9882D

I hope this tells you all you need to know...

CadDog, May 5, 2012

#59
Broni Malware Annihilator Posts: 39,324 +175

Combofix log looks good.

Still no connection?

If so, post new FSS log.

Broni, May 5, 2012

#60

Page 3 of 4

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.