Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

New Malware - Rootkit.TnCore- Please Help [RESOLVED]

Started by beachmalware , Jan 27 2008 10:35 PM

  • This topic is locked This topic is locked

#1
beachmalware
Posted 27 January 2008 - 10:35 PM

beachmalware

    New Member

  • Member
  • Pip
  • 3 posts
I have a new Malware on my daughters XP SP2 machine. Appeared last Friday after my wife surfed a celebrity sleeze site (www.finalpixxceleb.com).

I am very technical and have removed dozens of viruses/malware in the past, but this one is a bugger!

Whenever I start IE or Mozilla I get a continuous stream of pop-ups. I can get rid of it temporarily, but everytime I re-boot or re-start IE it comes back. Also, on re-boot I now get a DOS program executing before XP (?)

I have McAfee installed and have done numerous scans (waste of $$).
I have run the following: Kaspersky, SuperAntiSpyware, ComboFix, Virtumundo, HiJackThis, CCleaner, and a handful of smaller apps.

Below are the SuperAntiSpyware, HiJackThis, and ComboFix logs. Any help is appreciated.

==============================================================================
SUPER ANTI-SPYWARE LOG
==============================================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/27/2008 at 06:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Quick Scan
Total Scan Time : 00:25:44

Memory items scanned : 425
Memory threats detected : 0
Registry items scanned : 779
Registry threats detected : 0
File items scanned : 18106
File threats detected : 1

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

==============================================================================
HIJACKTHIS LOG
==============================================================================

Logfile of HijackThis v1.97.7
Scan saved at 6:58:31 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...216/mcfscan.cab


==============================================================================
COMBOFIX LOG
==============================================================================

ComboFix 08-01-23.1C - <PRIVATE NAME> 2008-01-27 19:02:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT -8:00]
Running from: C:\Documents and Settings\<PRIVATE NAME>\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 19:07 . 2008-01-27 19:07 <DIR> d-------- C:\temp\tn3
2008-01-27 19:07 . 2008-01-27 19:07 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-27 12:41 . 2008-01-27 12:41 290 --a------ C:\WINDOWS\EReg077.dat
2008-01-27 12:39 . 2008-01-27 12:39 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-01-27 11:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 11:13 . 2008-01-27 19:07 <DIR> d-------- C:\temp
2008-01-27 08:32 . 2008-01-27 08:32 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-26 22:44 . 2008-01-27 19:07 1,252,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-26 22:44 . 2008-01-27 19:06 18,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-26 22:44 . 2008-01-27 19:07 17,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-26 22:44 . 2008-01-27 19:06 2,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-26 22:40 . 2008-01-26 22:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 22:39 . 2008-01-26 22:39 <DIR> d-------- C:\KAV
2008-01-26 18:48 . 2008-01-27 18:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 18:47 . 2008-01-26 18:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 16:48 . 2007-10-10 15:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-26 16:48 . 2007-06-30 19:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-26 16:48 . 2007-06-30 19:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-26 16:48 . 2007-10-10 15:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-26 16:48 . 2007-10-10 15:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-26 16:48 . 2007-10-10 15:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-26 16:48 . 2007-10-10 15:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-26 16:48 . 2007-10-10 15:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-26 16:48 . 2007-10-10 02:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-26 09:08 . 2008-01-26 23:52 <DIR> d-------- C:\VundoFix Backups
2008-01-26 08:40 . 2008-01-26 08:40 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 01:29 . 2008-01-26 01:29 147,520 --a------ C:\WINDOWS\system32\iexwlyfl.dll
2008-01-26 01:29 . 2008-01-26 01:29 294 --ahs---- C:\WINDOWS\system32\lfylwxei.ini
2008-01-26 01:26 . 2008-01-26 01:26 294 --ahs---- C:\WINDOWS\system32\faxoogqy.ini
2008-01-25 21:43 . 2008-01-27 19:08 13,267 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-25 21:42 . 2008-01-26 22:36 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-01-25 21:40 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-25 21:37 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-25 21:36 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-25 21:36 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-25 21:36 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-25 21:36 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-25 21:36 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-25 21:34 . 2008-01-25 21:35 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-25 21:33 . 2008-01-25 21:36 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-25 18:45 . 2008-01-27 18:58 <DIR> d-------- C:\hijackthis
2008-01-25 18:40 . 2008-01-25 18:40 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-25 18:26 . 2008-01-25 18:26 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-01-25 18:25 . 2008-01-25 18:26 2,293 --a------ C:\WINDOWS\mozver.dat
2008-01-25 13:07 . 2008-01-26 19:45 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-25 13:03 . 2008-01-26 08:26 <DIR> d--hs---- C:\WINDOWS\U3lkbmV5IEJyaW5rZXI
2008-01-25 13:03 . 2008-01-25 23:00 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-25 13:03 . 2008-01-25 22:59 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-25 13:03 . 2008-01-25 13:03 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-25 13:03 . 2008-01-26 23:53 <DIR> d-------- C:\WINDOWS\system32\deb3
2008-01-25 13:03 . 2008-01-25 13:14 <DIR> d-------- C:\WINDOWS\system32\comg9
2008-01-25 13:03 . 2008-01-25 13:03 86,016 --a------ C:\WINDOWS\system32\drivers\aic78xxx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 20:40 --------- d-----w C:\Program Files\The Learning Company
2008-01-27 18:02 --------- d-----w C:\Program Files\McAfee
2008-01-26 18:08 --------- d-----w C:\Program Files\BAE
2007-02-18 23:30 8 --sh--r C:\WINDOWS\system32\80DDF4244B.sys
2007-05-14 21:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_12.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 16:17:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-28 01:42:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 16:17:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-28 01:42:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 aic78xxx;aic78xxx;C:\WINDOWS\system32\drivers\aic78xxx.sys [2008-01-25 13:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 05:35:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-26 05:35:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 19:08:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 19:12:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 03:11:52
ComboFix2.txt 2008-01-27 20:17:06
.
2008-01-13 02:18:41 --- E O F ---
  • 0

Advertisements

#2
miekiemoes
Posted 28 January 2008 - 01:24 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Not sure where you have read the instructions to use Combofix, but from the official Combofix page, a first step is to install the Recovery Console. So please do this first: http://www.bleepingc...to-use-combofix
You'll find the instructions there how to do this with Combofix.

Then, after you installed the Recovery Console,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\aic78xxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\iexwlyfl.dll
C:\WINDOWS\system32\lfylwxei.ini
C:\WINDOWS\system32\faxoogqy.ini

Folder::
C:\temp\tn3
C:\VundoFix Backups
C:\Program Files\Dot1XCfg
C:\WINDOWS\U3lkbmV5IEJyaW5rZXI
C:\WINDOWS\system32\wnis6
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\deb3
C:\WINDOWS\system32\comg9

Driver::
aic78xxx


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

By the way... I notice from the log that there are running more than one different Anti-Virus installed. Kaspersky and McAfee.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.
  • 0

#3
beachmalware
Posted 28 January 2008 - 10:12 PM

beachmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you so much for your prompt reply. I have 3 anti-virus products installed only to attempt to eradicate this Malware. I will uninstall two of them once it is all clean.

I creaded the ComboFix restore point and executed the CFScript file. At this point the pop-ups have stopped and AuperAnti-Spyware no longer sees a rootkit virus (a first in a long time).

Below is the ComboFix Log and the HiJackThis log. Let me know if it looks all clean.


==============================================================================
COMBOFIX LOG
==============================================================================


ComboFix 08-01-23.1C - Sydney Brinker 2008-01-28 19:24:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -8:00]
Running from: C:\Documents and Settings\Sydney Brinker\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sydney Brinker\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\aic78xxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\faxoogqy.ini
C:\WINDOWS\system32\iexwlyfl.dll
C:\WINDOWS\system32\lfylwxei.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\temp\tn3
C:\VundoFix Backups
C:\VundoFix Backups\abeeg.ini.bad
C:\VundoFix Backups\abeeg.ini2.bad
C:\VundoFix Backups\dropclll.dllbox.bad
C:\VundoFix Backups\geeba.dll.bad
C:\VundoFix Backups\jurmwrmp.dll.bad
C:\VundoFix Backups\uvupefmu.dll.bad
C:\WINDOWS\system32\comg9
C:\WINDOWS\system32\deb3
C:\WINDOWS\system32\drivers\aic78xxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\ets1\ovstadcom2.exe
C:\WINDOWS\system32\faxoogqy.ini
C:\WINDOWS\system32\iexwlyfl.dll
C:\WINDOWS\system32\lfylwxei.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\wnis6
C:\WINDOWS\U3lkbmV5IEJyaW5rZXI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AIC78XXX
-------\aic78xxx


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 19:19 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-28 19:19 . 2006-06-17 09:14 211 --a------ C:\Boot.bak
2008-01-27 12:41 . 2008-01-27 12:41 290 --a------ C:\WINDOWS\EReg077.dat
2008-01-27 12:39 . 2008-01-27 12:39 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-01-27 11:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 11:13 . 2008-01-28 19:27 <DIR> d-------- C:\temp
2008-01-27 08:32 . 2008-01-27 08:33 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-26 22:44 . 2008-01-28 19:30 1,344,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-26 22:44 . 2008-01-28 19:30 25,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-26 22:44 . 2008-01-28 19:29 20,072 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-26 22:44 . 2008-01-28 19:29 3,428 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-26 22:40 . 2008-01-26 22:40 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 22:39 . 2008-01-26 22:39 <DIR> d-------- C:\KAV
2008-01-26 18:48 . 2008-01-27 20:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 18:47 . 2008-01-26 18:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 16:48 . 2007-10-10 15:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-26 16:48 . 2007-06-30 19:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-26 16:48 . 2007-06-30 19:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-26 16:48 . 2007-10-10 15:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-26 16:48 . 2007-10-10 15:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-26 16:48 . 2007-10-10 15:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-26 16:48 . 2007-10-10 15:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-26 16:48 . 2007-10-10 15:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-26 16:48 . 2007-10-10 02:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-26 08:40 . 2008-01-26 08:40 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 21:43 . 2008-01-28 19:31 13,267 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-25 21:42 . 2008-01-26 22:36 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-01-25 21:40 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-25 21:37 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-25 21:36 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-25 21:36 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-25 21:36 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-25 21:36 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-25 21:36 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-25 21:34 . 2008-01-25 21:35 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-25 21:33 . 2008-01-25 21:36 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-25 18:45 . 2008-01-27 18:58 <DIR> d-------- C:\hijackthis
2008-01-25 18:40 . 2008-01-25 18:40 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-25 18:26 . 2008-01-25 18:26 107,132 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-01-25 18:25 . 2008-01-25 18:26 2,293 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 03:11 --------- d-----w C:\Program Files\McAfee
2008-01-27 20:40 --------- d-----w C:\Program Files\The Learning Company
2008-01-26 18:08 --------- d-----w C:\Program Files\BAE
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 13:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-02-18 23:30 8 --sh--r C:\WINDOWS\system32\80DDF4244B.sys
2007-05-14 21:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_12.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 19:57:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-29 03:24:26 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 19:57:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-29 03:24:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 19:57:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-29 03:24:26 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 19:57:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-29 03:24:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 19:57:22 1,994,752 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-29 03:24:26 1,994,752 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 19:57:22 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-29 03:24:26 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 02:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2008-01-27 16:17:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-28 05:56:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 16:17:58 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-28 05:56:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-14 02:54:10 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

S2 0057111201576300mcinstcleanup;McAfee Application Installer Cleanup (0057111201576300);C:\WINDOWS\TEMP\005711~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []

*Newly Created Service* - 0057111201576300MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 05:35:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-26 05:35:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 19:30:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-28 19:33:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 03:33:15
ComboFix2.txt 2008-01-28 03:12:07
ComboFix3.txt 2008-01-27 20:17:06
.
2008-01-28 04:34:01 --- E O F ---

==============================================================================
HIJACKTHIS LOG
==============================================================================

Logfile of HijackThis v1.97.7
Scan saved at 7:40:17 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...216/mcfscan.cab
  • 0

#4
miekiemoes
Posted 29 January 2008 - 12:05 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#5
beachmalware
Posted 29 January 2008 - 12:49 AM

beachmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Everything is all clear. Thank you VERY much! I dropped 20Eur in your cup.

-Mike
  • 0

#6
miekiemoes
Posted 29 January 2008 - 06:02 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help and thank you very much for the donation. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#7
miekiemoes
Posted 30 January 2008 - 07:17 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP