Solved Rootkit on Acer laptop

Status
Not open for further replies.

Ksyrium

Posts: 10   +0
I have this wonderful rootkit on my wife's laptop, an old Acer Travelmate 4220. Unfortunately, ESET missed the insertion. I can pull up the homepage but as soon as I search or nav off it to another page I get ESET blocking 213.163.68.106:80 or 78.47.248.117:80. And, I do see other people here with similar symptoms. After a fresh boot, laptop hops along but in about 3-4 minutes it's lagging behind as to be unusable.

Before I came here, I tried MBAM and SAS. Both found infections but were ineffective in removing this one (or it could be more). I've attached a HJT log and a GMER log so as to maybe get a head start. Now the GMER log is a couple of days old. I had diffculty running all the way through until I disabled ESET's real-time security module.

I'll have to use a thumb drive to bring files/logs back and forth. I promise to stay fully engaged while we work through this.
 

Attachments

  • hijackthis_Jul20-8am.log
    6.8 KB · Views: 1
  • gmerlog.log
    3.8 KB · Views: 5
  • DDSlogJul18.txt
    8.3 KB · Views: 1
  • AttachJlu18.txt
    15.2 KB · Views: 1
  • mbam-log-2010-07-18 (16-32-33).txt
    2.8 KB · Views: 3
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix Log #1

Hello - ComboFix ran through. It went like so:
Disabled ESET.
Placed CF on the Desktop.
Launched it.
Created Recovery Console.
Processing....Declared root kit activity present: Rebooted
Came back up with only wallpaper showing - DOS box...
Stepped through multi-step process.
Rebooted.
Came back up with full desktop and ESET enabled (I worried about that but I guess as it's just producing a log file...)
Produced log file below.

Should I have tested the computer/browser? I held off because I wasn't sure. I'm ready for the next step.

ComboFix 10-07-20.03 - TanteC 07/21/2010 6:28.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.180 [GMT -4:00]
Running from: c:\documents and settings\TanteC\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\Winlogon
c:\windows\system32\winlogon.exe.exe
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\drivers\adpu160m.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\adpu160m.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\adpu160m.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\adpu160m.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-18 20:33 . 2010-07-18 20:33 54016 ----a-w- c:\windows\system32\drivers\kscitar.sys
2010-07-18 19:30 . 2010-07-18 19:30 -------- d-----w- C:\FOUND.004
2010-07-18 17:42 . 2010-07-18 17:42 -------- d-----w- C:\The Fix
2010-07-17 23:56 . 2005-10-18 17:33 581632 --sha-r- c:\documents and settings\TanteC\plugin.dat
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-16 12:41 . 2010-07-16 12:41 -------- d-----w- C:\FOUND.003
2010-07-16 12:35 . 2010-07-16 12:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-07-16 12:04 . 2010-07-16 12:04 -------- d-----w- C:\FOUND.002
2010-07-16 07:52 . 2010-07-16 07:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-15 01:13 . 2010-07-15 01:13 101888 ----a-w- c:\windows\system32\drivers\mtstjzvw.sys
2010-07-15 01:13 . 2010-07-15 01:13 -------- d-----w- c:\documents and settings\TanteC\Local Settings\Application Data\ESET
2010-07-15 00:02 . 2010-07-15 00:02 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-14 23:34 . 2010-07-20 11:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 13:07 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-23 12:06 . 2010-06-23 12:06 -------- d-----w- c:\documents and settings\TanteC\Local Settings\Application Data\PCHealth
2010-06-23 11:42 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 23:06 . 2010-07-17 23:06 63488 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-17 23:06 . 2010-07-17 23:06 52224 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 23:06 . 2010-07-17 23:06 117760 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-16 12:45 . 2010-07-17 21:11 170932 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-02 21:08 . 2010-06-02 21:08 503808 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\msvcp71.dll
2010-06-02 21:08 . 2010-06-02 21:08 499712 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\jmc.dll
2010-06-02 21:08 . 2010-06-02 21:08 348160 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\msvcr71.dll
2010-06-02 21:08 . 2010-06-02 21:08 61440 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-23b67878-n\decora-sse.dll
2010-06-02 21:08 . 2010-06-02 21:08 12800 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-23b67878-n\decora-d3d.dll
2010-05-06 10:41 . 2006-01-09 15:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 09:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-18 12:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-18 12:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 88204]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 16005120]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-04 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-27 2029640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetStats.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetStats.lnk
backup=c:\windows\pss\NetStats.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
2006-03-31 20:39 204800 ----a-w- c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-16 01:47 136176 ----a-w- c:\documents and settings\TanteC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImageItEncrypt]
2005-12-30 18:02 40960 ----a-w- c:\windows\system32\ImageItEncrypt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 15:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-09 01:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 09:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 09:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-17 23:08 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-21 04:45 39424 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/27/2009 1:22 AM 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/27/2009 1:22 AM 731840]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/18/2010 8:45 AM 38224]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2010 11:14 PM 27064]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{B3204F40-EC3C-42EF-8F5D-694C6701E687}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-15 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-18 19:39]

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{EBA9C105-6592-4C4E-964F-4CC442A667D6}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4213325216-2343158164-1464277813-1007Core1cb0cda97c5a08a.job
- c:\documents and settings\TanteC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-16 01:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cerberus - c:\windows\system32\winlogon.exe.exe
MSConfigStartUp-HKLM - c:\windows\system32\winlogon\winlogon.exe
ActiveSetup-{36K3DTB1-2174-737D-68CD-NY6P1SU1JT60} - c:\windows\system32\winlogon\winlogon.exe
ActiveSetup-{AV0EQ4R6-Y588-N4Q6-SC63-Y6P21MLT75B6} - Restart



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 06:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(148)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\AGRSMMSG.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-07-21 06:43:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 10:43

Pre-Run: 29,175,054,336 bytes free
Post-Run: 29,148,741,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 157671BBC8FE688054DE78E51AC772E0


Thank you very much for this help!
 
You're welcome :)

Please, delete your GMER file, download fresh one and post new log.

Next...

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\drivers\kscitar.sys
c:\windows\system32\drivers\mtstjzvw.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Hi Broni - I'm in a bit of a pickle now.
GMER ran. Log gen'd.
But I then launched ComboFix by dragging/dropping the script. CF loaded and wanted to update. I said OK. Update went to 100% then stalled. I left it showing 100% for a good 20-30 minutes. Pulled up Task Mgr. CSRSS.exe was gobbling up 97-99% of CPU time. You can't kill CSRSS.exe - it's a critical Windows process. Tried rebooting gracefully - system unresponsive. I'd already dismissed Task Mgr - it would not relaunch. My only option was a hardware reset. Powered up - Chkdsk ran clean. Desktop shows up after log in but it's unresponsive. It's on the hour-glass down on the task bar.

Shall I try CF in safe mode? I know that's not ideal but that's the only way I know to try to move off the two offending files.

Suggestions?

H
 
Good News!!!

Hi again, Broni. Good news! I hope...

I woke up this morning and decided to re-try CF. Well, for whatever reason, it went through as expected! Now, I have to admit, I failed to disable ESET and CF put up its warning against having the real time scanner in op. I went to the systray to disable ESET and its customary icon was missing/gone. I opened Task Mgr and the only thing running there was EKERN.exe which is ESET's core process. So not finding it evident, I went ahead.

Two logs below are a new GMER from last night and the recent (as of a few minutes ago) CF logs. I wondered if I should try to re-boot and use? But I won't until told to do so because I don't have the ability to analyze the logs in depth (though I can sort of see what they did...)




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-21 22:57:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TanteC\LOCALS~1\Temp\ugtdipow.sys


---- System - GMER 1.0.15 ----

SSDT 8202F580 ZwAssignProcessToJobObject
SSDT 82030100 ZwDebugActiveProcess
SSDT 8202FB30 ZwDuplicateObject
SSDT 8202ECC0 ZwOpenProcess
SSDT 8202EFC0 ZwOpenThread
SSDT 8202F9C0 ZwProtectVirtualMemory
SSDT 8202F860 ZwSetContextThread
SSDT 8202F6E0 ZwSetInformationThread
SSDT 8202C700 ZwSetSecurityObject
SSDT 8202F420 ZwSuspendProcess
SSDT 8202F2C0 ZwSuspendThread
SSDT 8202EE50 ZwTerminateProcess
SSDT 8202F150 ZwTerminateThread
SSDT 8202FF50 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1940] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----



ComboFix 10-07-20.03 - TanteC 07/22/2010 7:06.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.207 [GMT -4:00]
Running from: c:\documents and settings\TanteC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TanteC\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active


FILE ::
"c:\windows\system32\drivers\kscitar.sys"
"c:\windows\system32\drivers\mtstjzvw.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kscitar.sys
c:\windows\system32\drivers\mtstjzvw.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-18 19:30 . 2010-07-18 19:30 -------- d-----w- C:\FOUND.004
2010-07-18 17:42 . 2010-07-18 17:42 -------- d-----w- C:\The Fix
2010-07-17 23:56 . 2005-10-18 17:33 581632 --sha-r- c:\documents and settings\TanteC\plugin.dat
2010-07-17 23:06 . 2010-07-17 23:06 63488 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-17 23:06 . 2010-07-17 23:06 52224 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-17 23:06 . 2010-07-17 23:06 117760 ----a-w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-17 23:05 . 2010-07-17 23:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-16 12:41 . 2010-07-16 12:41 -------- d-----w- C:\FOUND.003
2010-07-16 12:35 . 2010-07-16 12:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-07-16 12:04 . 2010-07-16 12:04 -------- d-----w- C:\FOUND.002
2010-07-16 07:52 . 2010-07-16 07:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-15 01:13 . 2010-07-15 01:13 -------- d-----w- c:\documents and settings\TanteC\Local Settings\Application Data\ESET
2010-07-15 00:02 . 2010-07-15 00:02 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-14 23:34 . 2010-07-20 11:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 13:07 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-23 12:06 . 2010-06-23 12:06 -------- d-----w- c:\documents and settings\TanteC\Local Settings\Application Data\PCHealth
2010-06-23 11:42 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 12:45 . 2010-07-17 21:11 170932 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-02 21:08 . 2010-06-02 21:08 503808 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\msvcp71.dll
2010-06-02 21:08 . 2010-06-02 21:08 499712 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\jmc.dll
2010-06-02 21:08 . 2010-06-02 21:08 348160 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-262f432a-n\msvcr71.dll
2010-06-02 21:08 . 2010-06-02 21:08 61440 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-23b67878-n\decora-sse.dll
2010-06-02 21:08 . 2010-06-02 21:08 12800 ----a-w- c:\documents and settings\TanteC\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-23b67878-n\decora-d3d.dll
2010-05-06 10:41 . 2006-01-09 15:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 09:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-18 12:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-18 12:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 88204]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 16005120]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-04 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-27 2029640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetStats.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NetStats.lnk
backup=c:\windows\pss\NetStats.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
2006-03-31 20:39 204800 ----a-w- c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-16 01:47 136176 ----a-w- c:\documents and settings\TanteC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImageItEncrypt]
2005-12-30 18:02 40960 ----a-w- c:\windows\system32\ImageItEncrypt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 15:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-09 01:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 09:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 09:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-07-17 23:08 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-21 04:45 39424 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/27/2009 1:22 AM 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/27/2009 1:22 AM 731840]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/18/2010 8:45 AM 38224]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/6/2010 11:14 PM 27064]
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\User_Feed_Synchronization-{B3204F40-EC3C-42EF-8F5D-694C6701E687}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-21 c:\windows\Tasks\Malwarebytes' Scheduled Update for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-18 19:39]

2010-07-22 c:\windows\Tasks\User_Feed_Synchronization-{EBA9C105-6592-4C4E-964F-4CC442A667D6}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4213325216-2343158164-1464277813-1007Core1cb0cda97c5a08a.job
- c:\documents and settings\TanteC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-16 01:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 07:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\TanteC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-22 07:14:11
ComboFix-quarantined-files.txt 2010-07-22 11:14
ComboFix2.txt 2010-07-21 10:43

Pre-Run: 29,045,063,680 bytes free
Post-Run: 29,029,269,504 bytes free

- - End Of File - - 1EE0DFC42E57A0A8D7E2A319EF137B98


I'm standing by...

H
 
Excellent :)
It looks like Combofix needed good night sleep...LOL

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Answer and logs

Good evening Broni.

Conbofix - uninstalled with no hits, no runs, no errors....

How's the computer working? Real good now. Launch Google, search and I don't get a redirect. Tried several different websites and clicked on a few links each to see the reaction. Just as expected. Works. Grabbed off some of wife's email in OE. Worked fine.

Before we declare victory, here are the OTL logs as file attachments.
Note: I've exceeded the per-post character threshold on this forum.

Incidentally, I reviewed the Event Viewer finding that my recent latest reboot only presents the error related to Remote Access Connection Manager even though the Extras.txt shows many more errors at 7PM. The only one showing up now in Event Viewer is RACM. The several others have resolved probably because CF was interferring with them as part of it's curing process. I went ahead and disabled RACM since I don't use any RC and wanted to clean up the error. And, I went back through several weeks of logs noting RACM was erroring out even before this event. I checked the dependencies - no problem killing RACM.

Tell me what's next. And I'm standing by.
 

Attachments

  • OTL.Txt
    71.4 KB · Views: 1
  • Extras.Txt
    37.3 KB · Views: 1
Getting another 512MB of RAM would be a nice addition.

=======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=======================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\TanteC\LOCALS~1\Temp\catchme.sys -- (catchme)
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    [2010/07/22 22:48:32 | 000,000,000 | --SD | C] -- C:\ComboFix
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Stepping through...

OK Broni -

I've accomplished the latest and posted the logs. Java has the latest V6_Update21. FYI, I found system restore disabled and a reboot reinstituted it. I'mcurious about the registry keys you last addressed. Were they remnants of the infection or were they just for general clean up purposes?

Two logs attached. Again I've exceeded the forum's character threshold.

Laptop is now running fine. I'd stick some more RAM in it but look at how ancient this one is? Wife just uses it to browse and do a small amount of email. She's not complained about performance.

Awaiting final clearance....

H
 

Attachments

  • 07232010_071029.log
    7.3 KB · Views: 0
  • OTLpostfix.Txt
    72.9 KB · Views: 0
I'mcurious about the registry keys you last addressed.
Are you talking about O3 entries from OTL fix?

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Kaspersky not available

Broni --
I've run TFE. Results OK.

However, the Kaspersky Online Scanner seems to be offline at this moment. It was updating the signatures for quite a while and at about 80%, it halted and the web page announced that the update had failed and with another message that the "key had expired". I reloaded and got the same message 4 different times. On their main page, it seems to say the the Online Virus Scanner is now being updated. I can go no further at this juncture. I've tried this on my second computer and get the exact same message. So, they must be in the midst of an overhaul.

Should we try something else?

H
 
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • IMOPRTANT! UN-check Remove found threats
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Hi Broni -

Note: I did have problems with the ESET online scan too! It kept asking if I was behind a proxy. So, I went in to the onboard ESET setup and manually entered ESET.com as an allowed address. Came back and retried - Bingo!

No threats or infections found! Log is clean.

Next?

H
 
OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
All done! But two questions more, please!

Laptop is running "aces". No redirects, nice and peppy. Email now flowing. Wife is very happy and appreciative. Did this infection have any sort of name, like Trojan Vundo or Hackdoor as examples?

(1) Back to a previous question: We removed the 03 entries (CLSID) several posts ago. Were those bad guys or just a part of a general tidy-up?

You've recommended Spyware Blaster (SWB) and I see it's primarily targetted at locking down the browser. We're on IE8, the article is dated 2004 and I'm guessing the staff realizes the apparent age of the informaion. And, I already have what I consider to be pretty heavy duty AV/AntiMalware suite in ESET SS. But I know what you're going say: something got by it (you're right, it did) and I'm more than curious about that. I also know and have read that running two AV/AntiMalware suites is a no-no. But...

(2) With all of the above in consideration: Does Spyware Blaster play nice with the rest of the AV/AntiMalware programs out there? More specifically, is it advisable to run both ESET and SWB concurrent. If so, then I've got 3 other computers to get squared away on. Again, I understand - an ounce of prevention is worth a pound of cure. Agree? And I guess the real question is: Does SWB constitute an "anti-virus/anti-malware" program in the context that others have written about.

Actually, that's three questions, isn't it?

OK? We're set I think exept for the above "loose ends".

Did I say "thank you"? If I didn't, I should and will!!!

H
 
I'm glad to hear good news :)

1. Those O3 entries were just dead garbage.
Did this infection have any sort of name, like Trojan Vundo or Hackdoor as examples?
Yes.
Personally, I don't use any real time antimalware program. I occasionally scan with MBAM.
SpywareBlaster is still a very good program. It's downside is, that the free version doesn't update itself automatically. If I had to pay for something, I'd buy MBAM.
There is another good free program, which actually provides real time protection, SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

2. In general, antimalware tools don't interfere with AV programs.

Good luck and stay safe :)
 
Status
Not open for further replies.
Back