Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unable to remove rootkit hooks

Started by lavenderchef45 , Jun 21 2011 11:04 PM

Please log in to reply

#1
lavenderchef45

Posted 21 June 2011 - 11:04 PM

Member

Member
37 posts

Just reformatted & reinstalled vista home premium. Rootkit is in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted. Before the reformat and wiping drive I knew I had a problem. Every time I attempted to install & run any anti rootkit program the program would stall and close. Tonight I was able to download & install Trend Micro Rootkit Buster. The program revealed the info in my attachment log. I clicked on delete selected items, logged out of windows and restarted. Re ran program and the same problems were displayed.
I went on the Trend Micro Malware forum and wrote approximately what I have said here. Someone responded by telling me to delete my windows mail sent & other messages! Clear the cache; etc.
The problem is in the system. Everything displays as shares. I did not set anything up as shared. I reformatted 7 days ago. I do not open strange mail. I delete it. When I attempted to delete
"Restricted" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted I was informed that I was not authorized to view the file.
Please assist.

Thank you

Attached Files

TMRB00002.TXT 4.63KB 117 downloads

#2
RKinner

Posted 22 June 2011 - 10:08 AM

Malware Expert

Expert
24,748 posts

Barking up the wrong tree I think. That Hidden key is pretty common and I think it's normal. We can fix it with Combofix if you want. Need to run it once for a baseline:

ComboFix

IF you have AVG you must first uninstall AVG before running Combofix then download and run the AVG removal tool.
http://download.avg....6_2011_1322.exe

:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

If it survived a wipe and reinstall then it is probably in the MBR. Can you run aswMBR?
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image

Ron

#3
lavenderchef45

Posted 22 June 2011 - 04:45 PM

Member

Topic Starter
Member
37 posts

Thanks Ron:
I will do as you have asked and send results in attach form.

#4
RKinner

Posted 22 June 2011 - 06:34 PM

Malware Expert

Expert
24,748 posts

Please copy and paste your logs. Do not attach them. Makes them too hard to work with.

Ron

#5
lavenderchef45

Posted 22 June 2011 - 09:49 PM

Member

Topic Starter
Member
37 posts

ComboFix 11-06-22.02 - Athena_6 06/22/2011 19:20:00.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1103 [GMT -4:00]
Running from: c:\users\Athena_6\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-22 23:18 . 2011-06-22 23:19 -------- d-----w- C:\32788R22FWJFW
2011-06-22 01:23 . 2011-06-22 01:23 -------- d-----w- c:\windows\system32\log
2011-06-21 05:56 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0C255BCB-9A1E-43F5-842C-E7D3D133B293}\mpengine.dll
2011-06-21 02:21 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2011-06-21 02:21 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2011-06-21 02:21 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2011-06-21 02:21 . 2008-06-20 01:17 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2011-06-21 02:21 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-06-21 02:21 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2011-06-21 02:21 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2011-06-21 02:21 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2011-06-21 02:13 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2011-06-21 02:13 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2011-06-21 02:13 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2011-06-21 02:13 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2011-06-21 02:13 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2011-06-21 00:59 . 2007-08-31 02:16 8704 ----a-w- c:\windows\system32\hcrstco.dll
2011-06-21 00:59 . 2007-08-31 01:20 192000 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-06-21 00:59 . 2007-08-31 01:20 224768 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-06-21 00:59 . 2007-08-31 01:19 38400 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-06-21 00:59 . 2007-08-31 01:19 23040 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-06-21 00:59 . 2007-08-31 01:19 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-06-21 00:40 . 2011-06-21 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-20 01:16 . 2011-06-20 03:11 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-06-17 13:09 . 2011-06-17 13:09 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-06-17 13:09 . 2011-06-17 13:09 268800 ----a-w- c:\windows\system32\es.dll
2011-06-17 04:32 . 2011-06-17 04:32 156672 ----a-w- c:\windows\system32\t2embed.dll
2011-06-17 04:32 . 2011-06-17 04:32 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-06-17 04:32 . 2011-06-17 04:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-06-17 04:32 . 2011-06-17 04:32 289792 ----a-w- c:\windows\system32\atmfd.dll
2011-06-17 04:32 . 2011-06-17 04:32 24064 ----a-w- c:\windows\system32\lpk.dll
2011-06-17 04:32 . 2011-06-17 04:32 10240 ----a-w- c:\windows\system32\dciman32.dll
2011-06-17 04:29 . 2011-06-17 04:29 61440 ----a-w- c:\windows\system32\winipsec.dll
2011-06-17 04:29 . 2011-06-17 04:29 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2011-06-17 04:29 . 2011-06-17 04:29 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2011-06-17 04:29 . 2011-06-17 04:29 272896 ----a-w- c:\windows\system32\polstore.dll
2011-06-17 04:28 . 2011-06-17 04:28 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 04:28 . 2011-06-17 04:28 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-17 04:28 . 2011-06-17 04:28 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2011-06-17 04:28 . 2011-06-17 04:28 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2011-06-17 04:28 . 2011-06-17 04:28 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2011-06-17 04:26 . 2011-06-17 04:26 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2011-06-17 04:26 . 2011-06-17 04:26 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2011-06-17 04:26 . 2011-06-17 04:26 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2011-06-17 04:26 . 2011-06-17 04:26 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-06-17 04:26 . 2011-06-17 04:26 542720 ----a-w- c:\windows\system32\sysmain.dll
2011-06-17 04:25 . 2011-06-17 04:25 194560 ----a-w- c:\windows\system32\WebClnt.dll
2011-06-17 04:25 . 2011-06-17 04:25 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2011-06-17 04:25 . 2011-06-17 04:25 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2011-06-17 04:25 . 2011-06-17 04:25 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2011-06-17 04:25 . 2011-06-17 04:25 502272 ----a-w- c:\windows\system32\wlansvc.dll
2011-06-17 04:25 . 2011-06-17 04:25 47104 ----a-w- c:\windows\system32\wlanapi.dll
2011-06-17 04:25 . 2011-06-17 04:25 297984 ----a-w- c:\windows\system32\wlansec.dll
2011-06-17 04:25 . 2011-06-17 04:25 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2011-06-17 04:24 . 2011-06-17 04:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2011-06-17 04:24 . 2011-06-17 04:24 1260032 ----a-w- c:\windows\system32\msxml3.dll
2011-06-17 04:24 . 2011-06-17 04:24 2048 ----a-w- c:\windows\system32\msxml6r.dll
2011-06-17 04:24 . 2011-06-17 04:24 1406464 ----a-w- c:\windows\system32\msxml6.dll
2011-06-17 04:24 . 2011-06-17 04:24 216576 ----a-w- c:\windows\system32\msv1_0.dll
2011-06-17 04:23 . 2011-06-17 04:23 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 04:23 . 2011-06-17 04:23 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 04:23 . 2011-06-17 04:23 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 04:23 . 2011-06-17 04:23 49664 ----a-w- c:\windows\system32\csrsrv.dll
2011-06-17 04:23 . 2011-06-17 04:23 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-06-17 04:22 . 2011-06-17 04:22 98816 ----a-w- c:\windows\system32\mfps.dll
2011-06-17 04:22 . 2011-06-17 04:22 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2011-06-17 04:22 . 2011-06-17 04:22 2855424 ----a-w- c:\windows\system32\mf.dll
2011-06-17 04:22 . 2011-06-17 04:22 2048 ----a-w- c:\windows\system32\mferror.dll
2011-06-17 04:22 . 2011-06-17 04:22 24576 ----a-w- c:\windows\system32\mfpmp.exe
2011-06-17 04:22 . 2011-06-17 04:22 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-17 04:22 . 2011-06-17 04:22 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 04:20 . 2011-06-17 04:20 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-06-17 04:19 . 2011-06-17 04:19 71680 ----a-w- c:\windows\system32\atl.dll
2011-06-17 04:18 . 2011-06-17 04:18 297472 ----a-w- c:\windows\system32\gdi32.dll
2011-06-17 04:18 . 2011-06-17 04:18 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2011-06-17 04:18 . 2011-06-17 04:18 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-06-17 04:17 . 2011-06-17 04:17 374456 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2011-06-17 04:16 . 2011-06-17 04:16 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2011-06-17 04:16 . 2011-06-17 04:16 30208 ----a-w- c:\windows\system32\xolehlp.dll
2011-06-17 04:16 . 2011-06-17 04:16 156160 ----a-w- c:\windows\system32\wkssvc.dll
2011-06-17 04:16 . 2011-06-17 04:16 36352 ----a-w- c:\windows\system32\tsgqec.dll
2011-06-17 04:16 . 2011-06-17 04:16 116736 ----a-w- c:\windows\system32\aaclient.dll
2011-06-17 04:16 . 2011-06-17 04:16 1871872 ----a-w- c:\windows\system32\mstscax.dll
2011-06-17 04:15 . 2011-06-17 04:15 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2011-06-17 04:14 . 2011-06-17 04:14 414208 ----a-w- c:\windows\system32\msscp.dll
2011-06-17 04:14 . 2011-06-17 04:14 713728 ----a-w- c:\windows\system32\timedate.cpl
2011-06-17 04:13 . 2011-06-17 04:13 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2011-06-17 04:13 . 2011-06-17 04:13 86016 ----a-w- c:\windows\system32\icfupgd.dll
2011-06-17 04:13 . 2011-06-17 04:13 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2011-06-17 04:13 . 2011-06-17 04:13 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2011-06-17 04:13 . 2011-06-17 04:13 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2011-06-17 04:13 . 2011-06-17 04:13 61952 ----a-w- c:\windows\system32\cmifw.dll
2011-06-17 04:13 . 2011-06-17 04:13 16896 ----a-w- c:\windows\system32\wfapigp.dll
2011-06-17 04:12 . 2011-06-17 04:12 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-06-17 04:12 . 2011-06-17 04:12 10922496 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2011-06-17 04:12 . 2011-06-17 04:12 23040 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
2011-06-17 04:12 . 2011-06-17 04:12 195072 ----a-w- c:\program files\Movie Maker\WMM2AE.dll
2011-06-17 04:11 . 2011-06-17 04:11 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-06-17 04:11 . 2011-06-17 04:11 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-06-17 04:11 . 2011-06-17 04:11 428032 ----a-w- c:\windows\system32\EncDec.dll
2011-06-17 04:11 . 2011-06-17 04:11 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-06-17 04:11 . 2011-06-17 04:11 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2011-06-17 04:11 . 2011-06-17 04:11 1244672 ----a-w- c:\windows\system32\mcmde.dll
2011-06-17 04:11 . 2011-06-17 04:11 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-06-17 04:11 . 2011-06-17 04:11 292352 ----a-w- c:\windows\system32\psisdecd.dll
2011-06-17 04:09 . 2011-06-17 04:09 2048 ----a-w- c:\windows\system32\tzres.dll
2011-06-17 04:09 . 2011-06-17 04:09 696832 ----a-w- c:\windows\system32\localspl.dll
2011-06-17 04:09 . 2011-06-17 04:09 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-06-17 04:09 . 2011-06-17 04:09 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2011-06-17 04:08 . 2011-06-17 04:08 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2011-06-17 04:08 . 2011-06-17 04:08 2923520 ----a-w- c:\windows\explorer.exe
2011-06-17 04:07 . 2011-06-17 04:07 7680 ----a-w- c:\windows\system32\lsass.exe
2011-06-17 04:07 . 2011-06-17 04:07 72704 ----a-w- c:\windows\system32\secur32.dll
2011-06-17 04:07 . 2011-06-17 04:07 494592 ----a-w- c:\windows\system32\kerberos.dll
2011-06-17 04:07 . 2011-06-17 04:07 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-06-17 04:07 . 2011-06-17 04:07 175104 ----a-w- c:\windows\system32\wdigest.dll
2011-06-17 04:07 . 2011-06-17 04:07 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2011-06-17 04:07 . 2011-06-17 04:07 272384 ----a-w- c:\windows\system32\schannel.dll
2011-06-17 04:07 . 2011-06-17 04:07 24064 ----a-w- c:\windows\system32\netcfg.exe
2011-06-17 04:05 . 2011-06-17 04:05 549888 ----a-w- c:\windows\system32\rpcss.dll
2011-06-17 04:04 . 2011-06-17 04:04 454656 ----a-w- c:\program files\Common Files\System\msadc\msadce.dll
2011-06-17 04:04 . 2011-06-17 04:04 9728 ----a-w- c:\windows\system32\LAPRXY.DLL
2011-06-17 04:04 . 2011-06-17 04:04 2048 ----a-w- c:\windows\system32\asferror.dll
2011-06-17 04:04 . 2011-06-17 04:04 223232 ----a-w- c:\windows\system32\WMASF.DLL
2011-06-17 04:04 . 2011-06-17 04:04 25600 ----a-w- c:\windows\system32\amxread.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-17 13:08 . 2011-06-17 13:08 36864 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui
2011-06-17 04:30 . 2011-06-17 04:30 52736 ----a-w- c:\windows\apppatch\iebrshim.dll
2011-06-17 04:06 . 2011-06-17 04:06 5632 ----a-w- c:\windows\system32\drivers\en-US\sermouse.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 4608 ----a-w- c:\windows\system32\drivers\en-US\mouclass.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 3072 ----a-w- c:\windows\system32\drivers\en-US\mouhid.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 3072 ----a-w- c:\windows\system32\drivers\en-US\kbdhid.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 10752 ----a-w- c:\windows\system32\drivers\en-US\i8042prt.sys.mui
2011-06-17 04:04 . 2011-06-17 04:04 40960 ----a-w- c:\windows\apppatch\apihex86.dll
2011-06-17 04:00 . 2011-06-17 04:00 2560 ----a-w- c:\windows\apppatch\AcRes.dll
2011-06-17 04:00 . 2011-06-17 04:00 2143744 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-06-17 04:00 . 2011-06-17 04:00 537600 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-06-17 04:00 . 2011-06-17 04:00 449024 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-06-17 04:00 . 2011-06-17 04:00 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-04-14 16:26 . 2011-06-15 14:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2011-06-17 1232896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\users\Athena_6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-04-24 225856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TMCOMM
*Deregistered* - avipbb
*Deregistered* - ssmdrv
*Deregistered* - tmcomm
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Athena_6\AppData\Roaming\Mozilla\Firefox\Profiles\xgrdxh0j.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 19:24
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-22 19:26:05
ComboFix-quarantined-files.txt 2011-06-22 23:26
.
Pre-Run: 188,401,422,336 bytes free
Post-Run: 186,772,643,840 bytes free
.
[b]- - End Of File - - 160BBC6677139E026BD5058C12937C8C[/b]

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-22 20:13:06
-----------------------------
20:13:06.639 OS Version: Windows 6.0.6000
20:13:06.639 Number of processors: 2 586 0xF02
20:13:06.639 ComputerName: ATHENA_6-PC UserName: Athena_6
20:13:07.466 Initialize success
20:13:14.610 AVAST engine defs: 11062201
20:13:18.822 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:13:18.822 Disk 0 Vendor: WDC_WD25 10.0 Size: 238418MB BusType: 3
20:13:18.854 Disk 0 MBR read successfully
20:13:18.854 Disk 0 MBR scan
20:13:18.854 Disk 0 unknown MBR code
20:13:18.854 Disk 0 scanning sectors +488278016
20:13:18.916 Disk 0 scanning C:\Windows\system32\drivers
20:13:38.541 Service scanning
20:13:39.524 Disk 0 trace - called modules:
20:13:39.539 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastorv.sys hal.dll
20:13:39.555 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x843d9030]
20:13:39.555 3 ntkrnlpa.exe[81cb07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x843da030]
20:13:40.382 AVAST engine scan C:\Windows
22:28:56.625 AVAST engine scan C:\Users\Athena_6
22:43:22.596 AVAST engine scan C:\ProgramData
22:43:56.230 Scan finished successfully
22:44:54.434 Disk 0 MBR has been saved successfully to "C:\Users\Athena_6\Desktop\MBR.dat"
22:44:54.434 The log file has been saved successfully to "C:\Users\Athena_6\Desktop\aswMBR.txt

PS: Only Fix MBR displayed at end of scan.

#6
RKinner

Posted 22 June 2011 - 11:55 PM

Malware Expert

Expert
24,748 posts

I'm not seeing any problems.

You can take ownership of the key:

Find [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted] and right click on it and select Permissions.

If you click on Administrators (YourComputerName\Administrators) You should see that Full Control is checked under Allow but greyed out. If not then

Click on Advanced then Owner.

What does it say under Current Owner of this Item?

It should say Administrators (YourComputerName\Administrators)

YourComputerName just stands for your computer name so it will be different.

If it says anything else go to the next box and click on Administrators (YourComputerName\Administrators) check the box then OK.

Then it should give you the opportunity to check the Full Control box under Allow. OK

We can use Combofix to remove the key if you want to tho Combofix doesn't see it as a problem:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted]

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

We can try GMER and see if it sees anything:
Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "No", save the log and post back the results.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

Ron

#7
lavenderchef45

Posted 23 June 2011 - 08:01 AM

Member

Topic Starter
Member
37 posts

It may be nothing but....I "do not have permission to view the current permission settings for Restricted but I can make permission changes." Under permissions for Restricted Group or user name is blank and allow or deny is blank. When I click on advanced I am again directed to a box that states, " you do not have permission to view the current permission settings for Restricted, But you can make permission changes," When I first right click on "Restricted" a box with a red X appears stating. "Restricted, cannot be opened. An error is preventing this key from being opened. Details. Access is denied.

Please resend info regarding ComboFix delete instructions. You lost me at putting something between ****************. I tried to understand but I don't want yet another reformat.
Thanks for your good info.

#8
RKinner

Posted 23 June 2011 - 09:08 AM

Malware Expert

Expert
24,748 posts

Just copy the lines in the code box:

Killall::

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted]

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted]

Then open notepad and paste them in. File Save As (to your desktop), CFScript , OK

Close notepad. That should create a file CFScript.txt on your desktop.

Drag CFScript over to the Combofix Icon and let go. Combofix will run without you doing anything.

#9
lavenderchef45

Posted 23 June 2011 - 09:42 AM

Member

Topic Starter
Member
37 posts

It WORKED! I was so frustrated that I tried using my technical head instead of my brain mush et voila! Ran combofix, let it do its thing, read the log, saved the log to desktop, rebooted, checked regedit as admin and the Restricted was gone. Now I have a new question!
What is this and is it normal?
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

By the way, YOU ARE AWESOME!!
Here is the newest combofix log:
ComboFix 11-06-22.02 - Athena_6 06/23/2011 11:03:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2045.1291 [GMT -4:00]
Running from: c:\users\Athena_6\Desktop\ComboFix.exe
Command switches used :: c:\users\Athena_6\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-23 15:07 . 2011-06-23 15:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-23 05:18 . 2011-06-23 05:18 -------- d--h--w- c:\programdata\Common Files
2011-06-23 05:13 . 2011-06-23 14:21 -------- d-----w- c:\program files\AVG
2011-06-23 05:00 . 2011-06-23 05:00 -------- d-----w- c:\program files\ToniArts
2011-06-23 05:00 . 2011-06-23 05:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-06-23 05:00 . 2011-06-23 05:00 -------- d-----w- c:\program files\Common Files\InstallShield
2011-06-23 04:37 . 2011-06-23 07:23 -------- d-----w- c:\program files\PeerBlock
2011-06-23 04:16 . 2011-06-23 14:19 -------- d-----w- c:\programdata\MFAData
2011-06-22 01:23 . 2011-06-22 01:23 -------- d-----w- c:\windows\system32\log
2011-06-21 05:56 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0C255BCB-9A1E-43F5-842C-E7D3D133B293}\mpengine.dll
2011-06-21 02:21 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2011-06-21 02:21 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2011-06-21 02:21 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2011-06-21 02:21 . 2008-06-20 01:17 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2011-06-21 02:21 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-06-21 02:21 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2011-06-21 02:21 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2011-06-21 02:21 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2011-06-21 02:13 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2011-06-21 02:13 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2011-06-21 02:13 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2011-06-21 02:13 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2011-06-21 02:13 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2011-06-21 00:59 . 2007-08-31 02:16 8704 ----a-w- c:\windows\system32\hcrstco.dll
2011-06-21 00:59 . 2007-08-31 01:20 192000 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-06-21 00:59 . 2007-08-31 01:20 224768 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-06-21 00:59 . 2007-08-31 01:19 38400 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-06-21 00:59 . 2007-08-31 01:19 23040 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-06-21 00:59 . 2007-08-31 01:19 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-06-21 00:40 . 2011-06-21 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-20 01:16 . 2011-06-20 03:11 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-06-17 13:09 . 2011-06-17 13:09 378368 ----a-w- c:\windows\system32\winhttp.dll
2011-06-17 13:09 . 2011-06-17 13:09 268800 ----a-w- c:\windows\system32\es.dll
2011-06-17 04:32 . 2011-06-17 04:32 156672 ----a-w- c:\windows\system32\t2embed.dll
2011-06-17 04:32 . 2011-06-17 04:32 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-06-17 04:32 . 2011-06-17 04:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-06-17 04:32 . 2011-06-17 04:32 289792 ----a-w- c:\windows\system32\atmfd.dll
2011-06-17 04:32 . 2011-06-17 04:32 24064 ----a-w- c:\windows\system32\lpk.dll
2011-06-17 04:32 . 2011-06-17 04:32 10240 ----a-w- c:\windows\system32\dciman32.dll
2011-06-17 04:29 . 2011-06-17 04:29 61440 ----a-w- c:\windows\system32\winipsec.dll
2011-06-17 04:29 . 2011-06-17 04:29 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2011-06-17 04:29 . 2011-06-17 04:29 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2011-06-17 04:29 . 2011-06-17 04:29 272896 ----a-w- c:\windows\system32\polstore.dll
2011-06-17 04:28 . 2011-06-17 04:28 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 04:28 . 2011-06-17 04:28 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-17 04:28 . 2011-06-17 04:28 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2011-06-17 04:28 . 2011-06-17 04:28 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2011-06-17 04:28 . 2011-06-17 04:28 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2011-06-17 04:26 . 2011-06-17 04:26 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2011-06-17 04:26 . 2011-06-17 04:26 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2011-06-17 04:26 . 2011-06-17 04:26 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2011-06-17 04:26 . 2011-06-17 04:26 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-06-17 04:26 . 2011-06-17 04:26 542720 ----a-w- c:\windows\system32\sysmain.dll
2011-06-17 04:25 . 2011-06-17 04:25 194560 ----a-w- c:\windows\system32\WebClnt.dll
2011-06-17 04:25 . 2011-06-17 04:25 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2011-06-17 04:25 . 2011-06-17 04:25 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2011-06-17 04:25 . 2011-06-17 04:25 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2011-06-17 04:25 . 2011-06-17 04:25 502272 ----a-w- c:\windows\system32\wlansvc.dll
2011-06-17 04:25 . 2011-06-17 04:25 47104 ----a-w- c:\windows\system32\wlanapi.dll
2011-06-17 04:25 . 2011-06-17 04:25 297984 ----a-w- c:\windows\system32\wlansec.dll
2011-06-17 04:25 . 2011-06-17 04:25 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2011-06-17 04:24 . 2011-06-17 04:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2011-06-17 04:24 . 2011-06-17 04:24 1260032 ----a-w- c:\windows\system32\msxml3.dll
2011-06-17 04:24 . 2011-06-17 04:24 2048 ----a-w- c:\windows\system32\msxml6r.dll
2011-06-17 04:24 . 2011-06-17 04:24 1406464 ----a-w- c:\windows\system32\msxml6.dll
2011-06-17 04:24 . 2011-06-17 04:24 216576 ----a-w- c:\windows\system32\msv1_0.dll
2011-06-17 04:23 . 2011-06-17 04:23 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 04:23 . 2011-06-17 04:23 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 04:23 . 2011-06-17 04:23 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 04:23 . 2011-06-17 04:23 49664 ----a-w- c:\windows\system32\csrsrv.dll
2011-06-17 04:23 . 2011-06-17 04:23 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-06-17 04:22 . 2011-06-17 04:22 98816 ----a-w- c:\windows\system32\mfps.dll
2011-06-17 04:22 . 2011-06-17 04:22 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2011-06-17 04:22 . 2011-06-17 04:22 2855424 ----a-w- c:\windows\system32\mf.dll
2011-06-17 04:22 . 2011-06-17 04:22 2048 ----a-w- c:\windows\system32\mferror.dll
2011-06-17 04:22 . 2011-06-17 04:22 24576 ----a-w- c:\windows\system32\mfpmp.exe
2011-06-17 04:22 . 2011-06-17 04:22 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-17 04:22 . 2011-06-17 04:22 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 04:20 . 2011-06-17 04:20 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-06-17 04:19 . 2011-06-17 04:19 71680 ----a-w- c:\windows\system32\atl.dll
2011-06-17 04:18 . 2011-06-17 04:18 297472 ----a-w- c:\windows\system32\gdi32.dll
2011-06-17 04:18 . 2011-06-17 04:18 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2011-06-17 04:18 . 2011-06-17 04:18 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-06-17 04:17 . 2011-06-17 04:17 374456 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2011-06-17 04:16 . 2011-06-17 04:16 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2011-06-17 04:16 . 2011-06-17 04:16 30208 ----a-w- c:\windows\system32\xolehlp.dll
2011-06-17 04:16 . 2011-06-17 04:16 156160 ----a-w- c:\windows\system32\wkssvc.dll
2011-06-17 04:16 . 2011-06-17 04:16 36352 ----a-w- c:\windows\system32\tsgqec.dll
2011-06-17 04:16 . 2011-06-17 04:16 116736 ----a-w- c:\windows\system32\aaclient.dll
2011-06-17 04:16 . 2011-06-17 04:16 1871872 ----a-w- c:\windows\system32\mstscax.dll
2011-06-17 04:15 . 2011-06-17 04:15 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2011-06-17 04:14 . 2011-06-17 04:14 414208 ----a-w- c:\windows\system32\msscp.dll
2011-06-17 04:14 . 2011-06-17 04:14 713728 ----a-w- c:\windows\system32\timedate.cpl
2011-06-17 04:13 . 2011-06-17 04:13 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2011-06-17 04:13 . 2011-06-17 04:13 86016 ----a-w- c:\windows\system32\icfupgd.dll
2011-06-17 04:13 . 2011-06-17 04:13 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2011-06-17 04:13 . 2011-06-17 04:13 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2011-06-17 04:13 . 2011-06-17 04:13 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2011-06-17 04:13 . 2011-06-17 04:13 61952 ----a-w- c:\windows\system32\cmifw.dll
2011-06-17 04:13 . 2011-06-17 04:13 16896 ----a-w- c:\windows\system32\wfapigp.dll
2011-06-17 04:12 . 2011-06-17 04:12 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-06-17 04:12 . 2011-06-17 04:12 10922496 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2011-06-17 04:12 . 2011-06-17 04:12 23040 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
2011-06-17 04:12 . 2011-06-17 04:12 195072 ----a-w- c:\program files\Movie Maker\WMM2AE.dll
2011-06-17 04:11 . 2011-06-17 04:11 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-06-17 04:11 . 2011-06-17 04:11 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-06-17 04:11 . 2011-06-17 04:11 428032 ----a-w- c:\windows\system32\EncDec.dll
2011-06-17 04:11 . 2011-06-17 04:11 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-06-17 04:11 . 2011-06-17 04:11 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2011-06-17 04:11 . 2011-06-17 04:11 1244672 ----a-w- c:\windows\system32\mcmde.dll
2011-06-17 04:11 . 2011-06-17 04:11 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-06-17 04:11 . 2011-06-17 04:11 292352 ----a-w- c:\windows\system32\psisdecd.dll
2011-06-17 04:09 . 2011-06-17 04:09 2048 ----a-w- c:\windows\system32\tzres.dll
2011-06-17 04:09 . 2011-06-17 04:09 696832 ----a-w- c:\windows\system32\localspl.dll
2011-06-17 04:09 . 2011-06-17 04:09 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-06-17 04:09 . 2011-06-17 04:09 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2011-06-17 04:08 . 2011-06-17 04:08 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2011-06-17 04:08 . 2011-06-17 04:08 2923520 ----a-w- c:\windows\explorer.exe
2011-06-17 04:07 . 2011-06-17 04:07 7680 ----a-w- c:\windows\system32\lsass.exe
2011-06-17 04:07 . 2011-06-17 04:07 72704 ----a-w- c:\windows\system32\secur32.dll
2011-06-17 04:07 . 2011-06-17 04:07 494592 ----a-w- c:\windows\system32\kerberos.dll
2011-06-17 04:07 . 2011-06-17 04:07 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-06-17 04:07 . 2011-06-17 04:07 175104 ----a-w- c:\windows\system32\wdigest.dll
2011-06-17 04:07 . 2011-06-17 04:07 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2011-06-17 04:07 . 2011-06-17 04:07 272384 ----a-w- c:\windows\system32\schannel.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-17 13:08 . 2011-06-17 13:08 36864 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui
2011-06-17 04:30 . 2011-06-17 04:30 52736 ----a-w- c:\windows\apppatch\iebrshim.dll
2011-06-17 04:06 . 2011-06-17 04:06 5632 ----a-w- c:\windows\system32\drivers\en-US\sermouse.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 4608 ----a-w- c:\windows\system32\drivers\en-US\mouclass.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 3072 ----a-w- c:\windows\system32\drivers\en-US\mouhid.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 3072 ----a-w- c:\windows\system32\drivers\en-US\kbdhid.sys.mui
2011-06-17 04:06 . 2011-06-17 04:06 10752 ----a-w- c:\windows\system32\drivers\en-US\i8042prt.sys.mui
2011-06-17 04:04 . 2011-06-17 04:04 40960 ----a-w- c:\windows\apppatch\apihex86.dll
2011-06-17 04:00 . 2011-06-17 04:00 2560 ----a-w- c:\windows\apppatch\AcRes.dll
2011-06-17 04:00 . 2011-06-17 04:00 2143744 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-06-17 04:00 . 2011-06-17 04:00 537600 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-06-17 04:00 . 2011-06-17 04:00 449024 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-06-17 04:00 . 2011-06-17 04:00 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-04-14 16:26 . 2011-06-15 14:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2011-06-17 1232896]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1866864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\users\Athena_6\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-04-24 225856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
.
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Athena_6\AppData\Roaming\Mozilla\Firefox\Profiles\xgrdxh0j.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 11:11
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-06-23 11:14:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-23 15:14
ComboFix2.txt 2011-06-22 23:26
.
Pre-Run: 184,604,725,248 bytes free
Post-Run: 184,516,976,640 bytes free
.
- - End Of File - - 24698600DBDEE1ECE0C18FDF8A8166A1

#10
RKinner

Posted 23 June 2011 - 02:08 PM

Malware Expert

Expert
24,748 posts

"What is this and is it normal?
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000"

It is normal. Not sure exactly what it does but it has something to do with modems. It's pretty much in every log I see.

#11
lavenderchef45

Posted 23 June 2011 - 07:16 PM

Member

Topic Starter
Member
37 posts

Thanks for your quick response. You wont believe what happened to me between the time I wrote you today, left for the day & just got home! Tried to access my gmail (3 times!)a few minutes ago & was locked out of my account! I did the change password by having a link sent to my alternate mail address. I have had the same password for 4 months. This means my passwords have been compromised. Obviously.

Thank you for all you have helped me accomplish. You are really good at what you do. And, your instructions are easy to follow!

AP

#12
RKinner

Posted 23 June 2011 - 08:14 PM

Malware Expert

Expert
24,748 posts

Combofix is not seeing an anti-virus.

Try the free Avast.

http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows.
Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

You might also want to install the free firewall: Online Armor.
http://www.online-ar...-armor-free.php

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You may not have the latest Java. 6.26
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)

Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.

To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.