Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

web redirect - fake antivirus pop ups - super slow


  • Please log in to reply

#121
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
Wonderful! It's nice not being blind. Combofix removed the Pragma references from the registry and a few other files which most people claim are evil so we are making progress.

Copy the text in the code box below by highlighting and then Ctrl + c :

KILLALL::

SecCenter:: 
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Driver::
yqeuqldq

File::
c:\windows\system32\exitwx.exe


Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

Copy and past the log it creates into a Reply.

What we are doing here is removing the AVG entry that was bothering us then trying to get rid of yqeuqldq and finally removing a file called exitwx.exe which may or may not be bad. Online Armor thinks it belongs to Trend Micro but other people say it is evil and we haven't run Trend

Also I see something in msconfig that is turned off but looks ugly:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yqeuqldq

I've asked Combofix to remove it as if it were a driver but it may not be. If you don't see it listed in the deletions section of Combofix's next log:

Get regseeker from:

http://fileforum.bet...er/1035382760/1

Download it and Save it to your desktop. Rightclick on it and Extract ALL. Double click on the Regseeker folder that it creates then on Regseeker.exe. Click on Find in Registry. Check all of the boxes except Match Whole Word then in the box put in

yqeuqldq

then hit Search. This will take a few minutes. When it completes, select all of the found items and then right click and Export Selected Items. Accept the default name.

In the Regseeker folder should be a folder called Backup. Double click on Backup and you will see a file with a name like:
yqeuqldq-1-10-2011-8.30.06 AM.reg

Right click on it and EDIT. That should open it in notepad. Copy the text and paste it into a reply.

The probable reason that the rescue disk did not work is that you have to copy only the file that has a .iso extension and you have to do it as if you were doing a disk copy not just a regular burn. They used to make that clear in the PDF but I guess they are concentrating on the USB option these days.

Ron
  • 0

Advertisements


#122
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
I got this when pasted into OTL ... I'll wait to go anything further through instructions incase it makes a difference.

Error: Unable to interpret <KILLALL:: > in the current context!
Error: Unable to interpret < > in the current context!
Error: Unable to interpret <SecCenter:: > in the current context!
Error: Unable to interpret <AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} > in the current context!
Error: Unable to interpret < > in the current context!
Error: Unable to interpret <Driver:: > in the current context!
Error: Unable to interpret <yqeuqldq > in the current context!
Error: Unable to interpret < > in the current context!
Error: Unable to interpret <File:: > in the current context!
Error: Unable to interpret <c:\windows\system32\exitwx.exe> in the current context!

OTL by OldTimer - Version 3.2.18.0 log created on 01102011_092431
  • 0

#123
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
Sorry, the script I used was wrong. I have changed the previous post to what it should have said so go back to my last post and try again.
  • 0

#124
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Came home to a blue screen on the system. "Bad Pool Header". Rebooted just fine. Upon rebooting I was greeted by an Online Armor message window asking to submit (or delete or cancel) a dump report.

On a side note, possibly not so side....each time I come down to my system, instead of being at the screen saver it seems like my system shut down or at least hibernates. Never done that before. But i did uninstall my normal screen saver and went back to a standard windows screen saver.
  • 0

#125
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
WEll another monkey wrench. I had Online Armor and Avira both off when I ran combofix, but when it rebooted Online Armor kicked itself on and blocked something. The cmd window was getting ready to do the log but then posted 'access denied'. Do i run it again or something else?
  • 0

#126
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run-]
"yqeuqldq"="C:\\Documents and Settings\\NetworkService\\Local Settings\\Application Data\\ktwcxyhfl\\xxfsydpshdw.exe"
  • 0

#127
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
Copy the text in the code box below by highlighting and then Ctrl + c :

:FILES
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ktwcxyhfl





Run OTL by right clicking and Run As Administrator then paste (Ctrl + v) the above in the box where it says Custom Scans/Fixes. Verify that you got it all then hit RUN FIX.

Copy and past the log it creates into a Reply.

Now run Combofix over again without the scipt. If Online Armor pops up this time we may need to uninstall it or use msconfig to keep it from running.

Your shutdown/hibernate when idle is controlled by the Power Options settings in Control Panel.
Probably more than you want to know about it here:
http://tips.oncomput...2003-mar-09.htm

Ron
  • 0

#128
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Online Armor popped up with "handle.cfxxe" with a product name of Sysinternals Handle

creating file c:\windows\system32\drivers\procexp113.sys

do i want to allow this or block it?

its is originating from combofix I believe. c:\george21868\handle.cfxxe is creating teh change.

Edited by Big O, 10 January 2011 - 06:47 PM.

  • 0

#129
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
This is with the script again (sorry I should have waited). Good news is that the AVG warning is gonezo.



ComboFix 11-01-10.04 - Tim Oakley 01/10/2011 17:17:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.577 [GMT -7:00]
Running from: c:\documents and settings\Tim Oakley\Desktop\george.exe
Command switches used :: c:\documents and settings\Tim Oakley\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\windows\system32\exitwx.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\exitwx.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-10 05:04 . 2011-01-10 05:19 -------- d-----w- C:\george
2011-01-09 16:50 . 2011-01-09 16:50 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\QuickScan
2011-01-08 16:47 . 2011-01-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-08 16:47 . 2011-01-08 16:47 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\OnlineArmor
2011-01-08 16:47 . 2010-10-27 02:52 38856 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-01-08 16:47 . 2010-10-27 02:52 25000 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-01-08 16:47 . 2010-10-27 02:52 29272 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-01-08 16:47 . 2010-10-27 02:52 202064 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-01-08 16:46 . 2011-01-10 23:53 -------- d-----w- c:\program files\Online Armor
2011-01-06 05:39 . 2011-01-11 00:16 -------- d-----w- c:\windows\system32\CatRoot2
2011-01-06 05:35 . 2011-01-06 05:35 -------- d-----w- c:\program files\UPHClean
2011-01-06 02:12 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-06 02:12 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-06 02:12 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-06 02:12 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-06 02:12 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-06 02:12 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-06 02:12 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-06 02:12 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-06 02:12 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-06 02:10 . 2001-08-17 19:13 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2011-01-06 02:09 . 2004-08-04 05:31 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2011-01-06 02:08 . 2001-08-17 19:12 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2011-01-06 02:07 . 2001-08-18 05:36 94293 ----a-w- c:\windows\system32\dllcache\sxports.dll
2011-01-06 02:06 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2011-01-06 02:05 . 2001-08-17 21:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2011-01-06 02:04 . 2001-08-17 20:51 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-01-06 02:03 . 2001-08-17 19:19 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-01-06 02:02 . 2001-08-17 20:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2011-01-06 02:01 . 2001-08-18 05:36 44544 ----a-w- c:\windows\system32\dllcache\ovui2.dll
2011-01-06 01:50 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-01-06 01:50 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-01-06 01:50 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-01-06 01:50 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-06 01:50 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-01-06 01:50 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-01-06 01:50 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-01-06 01:50 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-01-06 01:50 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-01-06 01:50 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-01-06 01:48 . 2008-04-13 19:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-01-06 01:47 . 2001-08-17 19:12 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2011-01-06 01:46 . 2001-08-18 05:36 90200 ----a-w- c:\windows\system32\dllcache\io8ports.dll
2011-01-06 01:45 . 2006-03-15 10:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-06 01:44 . 2001-08-18 05:36 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2011-01-06 01:43 . 2001-08-17 19:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-01-06 01:42 . 2001-08-17 19:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2011-01-06 01:41 . 2001-08-18 05:36 110592 ----a-w- c:\windows\system32\dllcache\dc260usd.dll
2011-01-06 01:40 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-01-06 01:39 . 2001-08-17 19:49 17152 ----a-w- c:\windows\system32\dllcache\atitvsnd.sys
2011-01-06 01:37 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-04 01:56 . 2011-01-04 01:56 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\Avira
2011-01-02 21:14 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-02 21:14 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-02 21:14 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-02 21:14 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\program files\Avira
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-30 03:51 . 2010-12-30 03:51 1409 ----a-w- c:\windows\QTFont.for
2010-12-30 03:51 . 2010-12-30 03:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-30 03:46 . 2010-12-31 01:51 -------- d-----w- c:\documents and settings\Tim Oakley\Local Settings\Application Data\Temp
2010-12-30 03:46 . 2010-12-30 03:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-30 00:09 . 2010-12-30 00:09 -------- d-----w- c:\program files\ESET
2010-12-29 17:04 . 2010-12-29 17:04 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-30 01:27 . 2001-08-17 18:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-11-18 18:12 . 2006-09-28 13:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-09-28 01:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-09-28 01:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-09-28 01:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-09-28 01:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-09-28 01:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-09-28 01:01 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-09-28 01:01 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"Power2GoExpress"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11674:TCP"= 11674:TCP:*:Disabled:BitComet 11674 TCP
"11674:UDP"= 11674:UDP:*:Disabled:BitComet 11674 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [1/29/2007 6:21 AM 42240]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/8/2011 9:47 AM 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/8/2011 9:47 AM 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/8/2011 9:47 AM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/8/2011 9:47 AM 29272]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/2/2011 2:14 PM 135336]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/8/2011 9:46 AM 380784]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/8/2011 9:46 AM 3652696]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/29/2007 6:44 PM 450400]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 12:37 PM 47488]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 8:46 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Online Armor\oaui.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\program files\Online Armor\OAhlp.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-01-10 17:36:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-11 00:36
ComboFix2.txt 2011-01-10 05:19

Pre-Run: 38,821,187,584 bytes free
Post-Run: 38,804,516,864 bytes free

- - End Of File - - 94ABA98726575BA50273534D03718186
  • 0

#130
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
========== FILES ==========
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Application Data\ktwcxyhfl not found.

OTL by OldTimer - Version 3.2.18.0 log created on 01102011_174531
  • 0

Advertisements


#131
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
procexp113.sys is a good guy so let him connect. And yes it is something combofix is doing.

Can you create a file named "ktwcxyhfl" like we did before and save it to
C:\Documents and Settings\NetworkService\Local Settings\Application Data\

Just want to make sure the folder is really gone and not hiding from us.

Can you now run MBR.exe?

Ron
  • 0

#132
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
This time with no script ... and it didn't need to reboot.

ComboFix 11-01-10.04 - Tim Oakley 01/10/2011 17:56:07.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.511 [GMT -7:00]
Running from: c:\documents and settings\Tim Oakley\Desktop\george.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-10 05:04 . 2011-01-10 05:19 -------- d-----w- C:\george
2011-01-09 16:50 . 2011-01-09 16:50 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\QuickScan
2011-01-08 16:47 . 2011-01-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-08 16:47 . 2011-01-08 16:47 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\OnlineArmor
2011-01-08 16:47 . 2010-10-27 02:52 38856 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-01-08 16:47 . 2010-10-27 02:52 25000 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-01-08 16:47 . 2010-10-27 02:52 29272 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-01-08 16:47 . 2010-10-27 02:52 202064 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-01-08 16:46 . 2011-01-11 00:26 -------- d-----w- c:\program files\Online Armor
2011-01-06 05:39 . 2011-01-11 00:25 -------- d-----w- c:\windows\system32\CatRoot2
2011-01-06 05:35 . 2011-01-06 05:35 -------- d-----w- c:\program files\UPHClean
2011-01-06 02:12 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-06 02:12 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-06 02:12 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-06 02:12 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-06 02:12 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-06 02:12 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-06 02:12 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-06 02:12 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-06 02:12 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-06 02:10 . 2001-08-17 19:13 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2011-01-06 02:09 . 2004-08-04 05:31 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2011-01-06 02:08 . 2001-08-17 19:12 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2011-01-06 02:07 . 2001-08-18 05:36 94293 ----a-w- c:\windows\system32\dllcache\sxports.dll
2011-01-06 02:06 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2011-01-06 02:05 . 2001-08-17 21:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2011-01-06 02:04 . 2001-08-17 20:51 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-01-06 02:03 . 2001-08-17 19:19 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-01-06 02:02 . 2001-08-17 20:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2011-01-06 02:01 . 2001-08-18 05:36 44544 ----a-w- c:\windows\system32\dllcache\ovui2.dll
2011-01-06 01:50 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-01-06 01:50 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-01-06 01:50 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-01-06 01:50 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-06 01:50 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-01-06 01:50 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-01-06 01:50 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-01-06 01:50 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-01-06 01:50 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-01-06 01:50 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-01-06 01:48 . 2008-04-13 19:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-01-06 01:47 . 2001-08-17 19:12 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2011-01-06 01:46 . 2001-08-18 05:36 90200 ----a-w- c:\windows\system32\dllcache\io8ports.dll
2011-01-06 01:45 . 2006-03-15 10:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-06 01:44 . 2001-08-18 05:36 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2011-01-06 01:43 . 2001-08-17 19:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-01-06 01:42 . 2001-08-17 19:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2011-01-06 01:41 . 2001-08-18 05:36 110592 ----a-w- c:\windows\system32\dllcache\dc260usd.dll
2011-01-06 01:40 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-01-06 01:39 . 2001-08-17 19:49 17152 ----a-w- c:\windows\system32\dllcache\atitvsnd.sys
2011-01-06 01:37 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-04 01:56 . 2011-01-04 01:56 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\Avira
2011-01-02 21:14 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-02 21:14 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-02 21:14 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-02 21:14 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\program files\Avira
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-30 03:51 . 2010-12-30 03:51 1409 ----a-w- c:\windows\QTFont.for
2010-12-30 03:51 . 2010-12-30 03:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-30 03:46 . 2010-12-31 01:51 -------- d-----w- c:\documents and settings\Tim Oakley\Local Settings\Application Data\Temp
2010-12-30 03:46 . 2010-12-30 03:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-30 00:09 . 2010-12-30 00:09 -------- d-----w- c:\program files\ESET
2010-12-29 17:04 . 2010-12-29 17:04 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-30 01:27 . 2001-08-17 18:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-11-18 18:12 . 2006-09-28 13:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-09-28 01:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-09-28 01:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-09-28 01:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-09-28 01:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-09-28 01:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-09-28 01:01 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-09-28 01:01 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"Power2GoExpress"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-10-27 2345000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-10-27 353992]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11674:TCP"= 11674:TCP:*:Disabled:BitComet 11674 TCP
"11674:UDP"= 11674:UDP:*:Disabled:BitComet 11674 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [1/29/2007 6:21 AM 42240]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/8/2011 9:47 AM 202064]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/8/2011 9:47 AM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/8/2011 9:47 AM 29272]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/2/2011 2:14 PM 135336]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/8/2011 9:46 AM 380784]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/29/2007 6:44 PM 450400]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/8/2011 9:47 AM 38856]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/8/2011 9:46 AM 3652696]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 12:37 PM 47488]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 8:46 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-10 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-10 18:04:47
ComboFix-quarantined-files.txt 2011-01-11 01:04
ComboFix2.txt 2011-01-11 00:36
ComboFix3.txt 2011-01-10 05:19

Pre-Run: 38,817,480,704 bytes free
Post-Run: 38,793,445,376 bytes free

- - End Of File - - 162FBC2E90D86ED0EAE2FF210B52F5C1
  • 0

#133
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts

Can you create a file named "ktwcxyhfl" like we did before and save it to
C:\Documents and Settings\NetworkService\Local Settings\Application Data\


It let me create that folder just fine, so it must be gone.
  • 0

#134
Big O

Big O

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
MBR

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-00NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 10 !
  • 0

#135
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,367 posts
  • MVP
I bet DDS will work now too.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP