Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

USB Mass Storage In Device Manager But Not Disk Manager - Rootkit Susp


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
I've talked to an expert on Combofix and he is unhappy with it taking so long. Thinks something might be fighting it. He would like you to boot into Safe Mode (Reboot and when you hear the beep, see the maker's logo, or it mentions F8, start slowly tapping the F8 key. Keep tapping until you see the Safe Mode menu. Choose the safe mode with networking entry and log in with your usual login.) Then run george again.

Ron
  • 0

Advertisements


#32
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ron, I think I may have screwed up running the unhide script. Or the unhide brought out something that is causing this new issue,
as follows:

The first Unhide run came up with an "unable to find vbs script message". I deduced that Avast! was blocking the "write' process to c:\temp so I shut down network access by disabling the adapter in Network connections) and paused Avast! to rerun.
The rerun of Unhide completed successfully as evidenced by the the message stating that the files have been un-hidden. I then un-paused Avast! and re-enabled the wireless adapter in Network Connections.
The machine isnow unable to connect to the internet as it's stuck at Acquiring Address.

I will now boot to Safe mode with networking to run George.

I can't believe how botched up this machine is. Good thing for my laptop that NO ONE touches but me.

Stay tuned...
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
If the wireless link uses encryption you may have to redo it.

Ron
  • 0

#34
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
George ran - sans CFScript. I have a new log. Now thinking -
Did you want that with or without the script?
As soon as I can figure out how to get Fang back onto the net I will post it. If I can't get anywhere in 15min I'll sneaker-net it over with a thumb drive here on my laptop.
  • 0

#35
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I had to reboot to full mode to regain net connectivity.
However after seeing the 1115 hidden files in the George log again, I just went back to your past few posts and realized you meant I should redo the Unhide prior to running George in Safe mode.
Going back to Safe mode to run Unhide, then George.

I guess some good news is that the reboot only took ~ 3 1/5 minutes.

Edited by SGProd, 03 July 2011 - 11:36 AM.

  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Don't really need the script this time. Just a plain Combofix run.

Ron
  • 0

#37
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I'm back in Safe mode with networking - however my Dlink still still can't connect in safe mode (I do have it set to remember network key parameters. But I still need to start up the D-Link Adapter wizard to "activate" the connection. Unfortunately I can't see the dialog window or the icon on the Taskbar even though Process Explorer says its running).

Just ran Unhide.exe. it completed with no issue.

Am now rerunning George. A dialog came up saying Avast! was still running. Looking through Process Explorer I found it was not. However I did find and stop a process called NirCmd.cxxe from NirSoft.com. I'm pretty sure I've read about Nirsoft.com connected to virus/trojan badness in the past.

George just finished. Duration ~ 8 min. No more 1115 hidden files. I was able to see a USB thumbdrive so Fang is still in safe mode (in case I need to work further in Safe mode from this point) while I'm posting the latest Safe Mode ComboFix log from my laptop:
==============================================================================

ComboFix 11-07-01.01 - SilvioG 07/03/2011 14:08:54.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2475 [GMT -4:00]
Running from: c:\documents and settings\SilvioG\Desktop\george.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-02 17:48 . 2011-07-02 18:21 -------- d-----w- C:\george
2011-07-02 13:17 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-07-02 13:17 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-07-02 13:17 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-07-02 13:17 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-07-02 13:17 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-07-02 13:16 . 2001-08-18 02:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-07-02 13:16 . 2001-08-17 16:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-07-02 13:16 . 2004-08-04 02:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-07-02 13:16 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2011-07-02 13:16 . 2004-08-04 02:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-07-02 13:16 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-07-02 13:14 . 2001-08-17 16:13 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2011-07-02 13:13 . 2008-04-13 18:45 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2011-07-02 13:12 . 2001-08-17 18:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2011-07-02 13:11 . 2001-08-17 16:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-07-02 13:10 . 2001-08-17 17:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2011-07-02 13:09 . 2004-08-10 11:00 38912 ----a-w- c:\windows\system32\dllcache\sm9aw.dll
2011-07-02 13:08 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2011-07-02 13:07 . 2001-08-17 18:56 182272 ----a-w- c:\windows\system32\dllcache\s3mt3d.dll
2011-07-02 13:06 . 2004-08-10 11:00 9728 ----a-w- c:\windows\system32\dllcache\query.exe
2011-07-02 13:05 . 2008-04-14 00:10 211584 ----a-w- c:\windows\system32\dllcache\perm2dll.dll
2011-07-02 13:04 . 2001-08-17 16:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2011-07-02 13:04 . 2001-08-17 16:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2011-07-02 13:04 . 2001-08-17 16:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2011-07-02 13:04 . 2001-08-17 16:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-07-02 13:04 . 2001-08-18 02:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2011-07-02 13:04 . 2001-08-18 02:36 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-07-02 13:04 . 2001-08-17 16:49 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2011-07-02 13:04 . 2001-08-17 17:47 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-07-02 13:04 . 2001-08-17 17:53 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2011-07-02 13:04 . 2008-04-13 18:54 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2011-07-02 12:55 . 2001-08-17 17:50 75520 ----a-w- c:\windows\system32\dllcache\mxport.sys
2011-07-02 12:54 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-07-02 12:53 . 2001-08-17 16:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-07-02 12:52 . 2008-04-14 00:12 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2011-07-02 12:51 . 2001-08-17 16:11 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2011-07-02 12:50 . 2001-08-18 02:36 31232 ----a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2011-07-02 12:49 . 2001-08-17 16:14 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2011-07-02 12:48 . 2001-08-17 17:50 144896 ----a-w- c:\windows\system32\dllcache\epcfw2k.sys
2011-07-02 12:47 . 2001-08-17 16:14 21606 ----a-w- c:\windows\system32\dllcache\digiisdn.sys
2011-07-02 12:46 . 2001-08-18 02:36 44032 ----a-w- c:\windows\system32\dllcache\cnusd.dll
2011-07-02 12:45 . 2008-04-13 18:46 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2011-07-02 12:35 . 2004-08-10 11:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-07-02 12:35 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-07-02 12:35 . 2004-08-10 11:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-07-02 12:35 . 2004-08-10 11:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-07-02 12:35 . 2004-08-10 11:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-07-02 12:35 . 2004-08-10 11:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-07-02 12:35 . 2004-08-10 11:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-07-02 12:35 . 2004-08-10 11:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-07-02 12:32 . 2011-07-02 12:32 -------- d-----w- c:\program files\Common Files\Java
2011-07-02 02:26 . 2011-07-02 02:26 -------- d-----w- C:\found.000
2011-07-02 01:30 . 2011-05-04 06:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-01 21:32 . 2011-07-02 17:48 -------- d-----w- C:\ComboFix
2011-07-01 21:10 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 21:10 . 2011-07-01 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 21:10 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 20:25 . 2011-07-01 20:25 -------- d-----w- C:\_OTL
2011-07-01 18:50 . 2011-07-01 19:42 -------- d-----w- C:\ppart
2011-07-01 18:50 . 2005-04-04 03:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-07-01 18:50 . 2005-04-04 03:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-07-01 18:50 . 2005-04-04 03:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-07-01 18:50 . 2005-04-04 02:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-07-01 18:50 . 2005-04-04 03:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-07-01 18:50 . 2011-07-01 18:50 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-07-01 18:50 . 2011-07-01 18:50 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-06-30 20:57 . 2011-06-30 20:57 -------- d-----w- c:\program files\Bonjour
2011-06-30 10:07 . 2010-12-09 15:15 718336 ----a-w- c:\windows\system32\d85F.tmp
2011-06-29 11:22 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-29 03:48 . 2011-06-29 03:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-29 03:12 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-29 02:43 . 2011-06-29 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\D-Link
2011-06-29 02:43 . 2011-06-29 02:43 -------- d-----w- c:\windows\pcidevice
2011-06-29 02:43 . 2009-07-30 19:26 1581792 ----a-w- c:\windows\system32\drivers\athw.sys
2011-06-29 02:43 . 2008-09-26 23:01 405582 ----a-w- c:\windows\system32\jswscsup.dll
2011-06-29 02:43 . 2008-09-25 23:07 57440 ----a-w- c:\windows\system32\jswscimd.sys
2011-06-29 02:43 . 2008-09-25 23:07 57440 ----a-w- c:\windows\system32\drivers\jswscimd.sys
2011-06-29 02:43 . 2011-06-29 02:43 -------- d-----w- c:\program files\D-Link
2011-06-29 02:43 . 2008-02-27 14:54 20480 ----a-w- c:\windows\system32\wlndis50.sys
2011-06-29 02:43 . 2008-02-27 14:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2011-06-29 02:42 . 2011-06-29 02:42 -------- d-----w- c:\documents and settings\SilvioG\Application Data\InstallShield
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-08-29 00:12 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-08-29 00:12 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2010-08-29 00:13 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-08-29 00:13 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2010-08-29 00:13 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2010-08-29 00:13 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2010-08-29 00:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-08-29 00:13 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2010-08-29 00:13 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-04 08:52 . 2010-08-28 19:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2005-08-16 10:18 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-03-15 04:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2010-08-28 19:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2005-08-16 10:18 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"MCW Startup"="c:\program files\Monitor Calibration Wizard\MCW.exe" [2002-12-20 321024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-08-27 2356848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ashampoo Magic Defrag.lnk - c:\program files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe [2009-11-3 4149361]
Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-552 revA\wirelesscm.exe [2011-6-28 505152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFileAssociate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-08-27 353992]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SilvioG^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SilvioG^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^SilvioG^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\SilvioG\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-04-05 16:38 518144 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-03-15 05:19 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
.
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [8/30/2010 7:08 PM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [8/30/2010 7:08 PM 29272]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [6/28/2011 10:43 PM 57440]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/28/2011 11:12 PM 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/28/2010 8:13 PM 307928]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [8/30/2010 7:08 PM 201168]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [8/30/2010 7:08 PM 38856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/28/2010 8:13 PM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/4/2010 6:21 AM 136176]
S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [8/30/2010 7:08 PM 380272]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [8/30/2010 7:08 PM 3638240]
S2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [6/28/2011 10:43 PM 20480]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\D-Link\DWA-552 revA\jswpsapi.exe [6/28/2011 10:43 PM 356433]
S3 PMSI Application Server;PMSI Application Server;c:\ppart\PMSI.Networking.Services.ApplicationService.exe [7/1/2011 2:53 PM 32768]
S3 PMSI Data Server;PMSI Data Server;c:\ppart\PMSI.Networking.Services.DataService.exe [7/1/2011 2:53 PM 20480]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PXHELP20
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-04 10:21]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-04 10:21]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{FACC7370-DC14-40F5-AB69-7B182EECE70A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\SilvioG\Application Data\Mozilla\Firefox\Profiles\vjnkxmky.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 14:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(412)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(1128)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-07-03 14:16:57
ComboFix-quarantined-files.txt 2011-07-03 18:16
ComboFix2.txt 2011-07-03 16:36
ComboFix3.txt 2011-07-03 05:30
ComboFix4.txt 2011-07-02 18:21
ComboFix5.txt 2011-07-03 18:08
.
Pre-Run: 55,755,333,632 bytes free
Post-Run: 55,727,648,768 bytes free
.
- - End Of File - - ED8F5076E44A7D1B3046A94171A3997D
======================================================================================
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
NirCmd.cxxe is part of Combofix so best not to mess with it.

The log looks like it should so not sure why it took so long before.

Can you run aswMBR and TDSSKiller?

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

If they won't run in regular mode try them in safe mode.

I had combofix remove something that might have been interfering with your USB drives so they may work in regular mode now.

Ron
  • 0

#39
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK - To be clear, I am now booting to normal mode to download and deploy these steps.
  • 0

#40
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Windows Explorer not happy upon warm reboot. Need to hard interrupt/cold boot.
  • 0

Advertisements


#41
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Cold Reboot Duration: 4:47. Sweet. :)
  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Sounds like we are making progress.
  • 0

#43
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
RE: aswMBR
"(Note if the Fix button is enabled and tell me) "

Did you mean go ahead and hit <fix>, but let you know? I'm seeing a bunch of files in c:\windows\system32\drivers\w****.sys coming up in RED as **HIDDEN**.

Edited by SGProd, 03 July 2011 - 01:22 PM.

  • 0

#44
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
If the Fix button (not the FixMBR button) is enabled, post your aswMBR log then run it again and hit the Fix button.

Ron
  • 0

#45
SGProd

SGProd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK will do.

At +/- 186k objects (from last Avast scan 4-5 days ago), I suspect this is going to be a good hour's ride at least - potentially X 2 for a "Fix" run if/when it comes to that. I'll continue monitoring it and hope for the best against any other red flags.
Thanks,
Silvio
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP