Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Combofix RootKit.ZeroAccess Removal Problem (Won't Go Away!) [


  • This topic is locked This topic is locked

#1
tech_addict

tech_addict

    New Member

  • Member
  • Pip
  • 9 posts
First of all, thank you so much for what you do here. I already got tremendous help just browsing the forum and following instructions in other posts, and as an occasional victim of spyware/malware, I appreciate the availability of this kind of resource tremendously.

My computer in trouble is Dell Inspiron 700m with 1.2Gbyte of RAM, Windows XP SP3. (yes, it's an old machine past expiration date, but I must use it for lots of writing work.)

I've always had McAfee on this computer, and I'll use something else next time, as McAfee has failed more often that I would like it to.

I've been visiting wild and exotic and questionable websites via Google on this machine, and so far in the past 6 years or so McAfee failed about 3 to 4 times in blocking webbrowsing-contracted spyware/malware (on both FireFox and Internet Explorer).

Now, to the problem I have had, and still having.

------------------------
2012-01-04, late evening
------------------------

While Googling and visiting websites, after visiting a suspicious-looking particular website, I notice something's not quite right. My laptop feels sluggish, CPU usage shoots up 100%, my McAfee Total Protection suddenly goes out of subscription although it should last until August-2012.

This has happened before a few times, as McAfee Total Protection is less than stellar in preventing spyware/malware caught from merely visiting a sick website.
(Now, I'll no longer subscribe to McAfee. Too many troubles with that security software, as it's ineffective enough of times.)

So, I download and run Malware Byte's Spyware Remover on Full Scan, it catches 30+ spyware/malware that all passed through McAfee's 'protection', and I tell it to remove them all. mbam-log-2012-01-04 (13-47-55).txt

I run Malware Byte's Spyware Remover one more time on Quick Scan to see everything is clean. mbam-log-2012-01-04 (19-28-06).txt

I contact the McAfee technical support, and they reinstall my McAfee Total Protection via remote desktop access.

Problem with my laptop still persists.

1. CPU usage is still at 100%. It's not one process that's garbling up the CPU. McAfee is using high amount of CPU, a couple system processes are using unusually high amount of CPU. McAfee keeps blocking the following two processes trying to access the Internet, calling them 'suspicious':

TCP/IP Ping (ping.exe)
Generic Host Process for Win32 Services (svchost.exe)

Now, I'm not running any programs that I know of that should make those two to access the Internet, so I know something fishy is going on.

2. I notice that Internet Explorer icon from the Start Menu panel (on the top, above the Email client) does not work. When I click it, a messagebox pops up saying "access denied".

3. I can't access the Windows Update website, as it shows "can't connect" screen. Other websites, I can access.

4. On my Windows XP system tray, the Wireless Network Connection icon stays at "Acquiring Network Address" animated icon, with a yellow ball going left and right, although there already is a network connection and I can browse the Internet fine, except the Windows Update website.


------------------------
2012-01-05, before noon
------------------------



First Combofix Run
-------------------


I do some Googling, and come across www.geekstogo.com. I download Combofix, turn off McAfee until next boot, and run Combofix. Combofix, after installing Windows Recovery Console, says it detected RootKit.ZeroAccess and it's a particularly nasty infection, and couple more messages after, it reboots the system, because of Rootkit activity.

I realize that I have turned off McAfee real-time protection and firewall until the next reboot, so, in the next boot Combofix runs against McAfee still running.

Combofix removes bunch of files and directories still, and reboots my laptop once again.

After the 2nd reboot, it generates the log file. ComboFix (2012-01-05).txt

McAfee is running, all the four problems above are gone. My laptop feels healthy and fully functional at an optimal level.


Second Combofix Run
-------------------

Since I had McAfee on after the 1st reboot by Combofix, I figure it'd be better to run Combofix one more time. I uninstall it using "Combofix /Unistall" via Windows Run window, and reinstall and re-run.

Alas, although the above four problems are gone, Combofix still says my computer has RootKit.ZeroAccess and reboots my laptop once agian after a couple more, the same, messages.

After the reboot, it detects no problem, and produces a log file. ComboFix (2012-01-05 2).txt

No network connection is avaiable, no McAfee in the system tray, so I reboot, and everything is back to normal.

I get an info on FSS in a posting on www.geekstogo.com, and run it to see what it does. It produced a log. FSS (2012-01-05).txt


Third Combofix Run
-------------------

Third time's the charm, since Combofix still reported me as having RootKit.ZeroAccess, I uninstall and run Combofix again just to see. The behavior is exactly the same as the 2nd run. ComboFix (2012-01-05 3).txt

I download, install, and run Malware Byte's Spyware Remover, on Quick Scan, and it catches nothing. mbam-log-2012-01-05 (14-32-26).txt


------------------------
2012-01-05, afternoon
------------------------


The problems I'm still having:

1. on the last, and 3rd run of Combofix, it still says my computer has RootKit.ZeroAccess.

2. On my Windows XP system tray, the Wireless Network Connection icon still shows a periodic, very brief network activity indication (by flashing), as if my computer is checking something on the Internet, although I'm using no software that should have a periodic check-up on the Internet (like every few minutes.)


Help to resolve the above two remaining issues would be greatly appreciated.


Attached File  mbam-log-2012-01-04 (13-47-55).txt   11.37KB   50 downloads
Attached File  mbam-log-2012-01-04 (19-28-06).txt   1.82KB   33 downloads
Attached File  ComboFix (2012-01-05).txt   25.29KB   40 downloads
Attached File  FSS (2012-01-05).txt   1.67KB   42 downloads
Attached File  ComboFix (2012-01-05 2).txt   19.46KB   57 downloads
Attached File  ComboFix (2012-01-05 3).txt   19.05KB   59 downloads
Attached File  mbam-log-2012-01-05 (14-32-26).txt   1.82KB   36 downloads

Edited by tech_addict, 05 January 2012 - 03:27 PM.

  • 0

Advertisements


#2
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Hello and welcome to Geekstogo!

We apologize for the delay in responding to your request for help.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below.



Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert". It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#3
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


Topic reopened at the user's request.

Edited by Gammo, 19 January 2012 - 08:10 AM.

  • 0

#4
tech_addict

tech_addict

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
@Gammo

Hey, thanks for the reply and instruction.

1. [RUN 1] I ran "aswMBR.exe" last night, around 9:30pm EST 2012-01-18, on full scan. I see in the next morning that for some reason, "aswMBR.exe"crashed, so I didn't get to save log. There's an automated backup program on (infected) Windows laptop that runs at 3:00am EST, which does shadow copy. That might have been a reason.

2. [RUN 2] I ran "aswMBR.exe"again on quick scan early today morning, on 2012-01-19 EST.

06:44:37.998 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Aluroot-B [Rtk]

aswMBR.exe quarantines the file, then McAfee says it detected a trojan on the quarantined file, "C:\DOCUME~1\Allen\LOCALS~1\Temp\~Quarantine.aswMBR\redbook.sys" and removes the file. Perhaps I should've turned off my McAfee before scan.

I hit the fix button on aswMBR.exe window and reboot the system.

Attached File  aswMBR 2012-01-19 Quickscan Before Fix (Run 2).txt   2.23KB   46 downloads
Attached File  aswMBR 2012-01-19 Quickscan After Fix (Run 2).txt   2.81KB   68 downloads

2. [RUN 3] I ran "aswMBR.exe"again on quick scan, after the reboot, on 2012-01-19 EST.

09:32:55.304 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**

There's no fix button, so no action I can take on the SUSPICIOUS file.

Attached File  aswMBR 2012-01-19 Quickscan (Run 3) No Fix.txt   2.22KB   39 downloads

--------------------------------------------------------------------------------------------------------------------------------------------

What should I do now? Run ComboFix again? Any other options?

Edited by tech_addict, 19 January 2012 - 09:49 AM.

  • 0

#5
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Please don't fix items unless I tell you to. It was OK that you deleted redbook.sys, but tfsndres.sys is legitimate.

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.



Delete your copy of Combofix.exe from the Desktop. Then:

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#6
tech_addict

tech_addict

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
1. TDSSKiller.exe

24 threats. None with Cure option available, so I skipped all.

Attached File  TDSSKiller.2.7.6.0_19.01.2012_12.54.31_log.txt   81.17KB   51 downloads

2. Combofix.exe

It popped up a message box saying Rootkit is detected. There were only OK buttons on the message boxes, so I clicked the OKs. (Screenshot 1, Screenshot 2)

Then it said in a message box it must reboot the system due to Rootkit. I clicked OK.

After the reboot, Combofix.exe did some things in dozens of stages, produced the log.

My laptop didn't have a WiFi connection after the Combofix was done, so I rebooted my laptop. After the reboot, I got my WiFi connection back.

ComboFix 12-01-19.01 - Allen 01/19/2012 13:14:27.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1262.782 [GMT -5:00]
Running from: c:\documents and settings\Allen\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 01:17 . 2012-01-19 01:17 -------- d-----w- c:\documents and settings\Allen\Application Data\Blender Foundation
2012-01-19 01:08 . 2012-01-19 01:08 -------- d-----w- c:\program files\Blender Foundation
2012-01-15 17:54 . 2012-01-19 00:30 -------- d-----w- c:\program files\freecol
2012-01-15 17:25 . 2012-01-15 17:39 -------- d-----w- c:\documents and settings\Allen\Application Data\.freeciv
2012-01-15 17:22 . 2012-01-19 00:30 -------- d-----w- c:\program files\Freeciv-2.3.0-gtk2
2012-01-05 17:04 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 17:04 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-05 17:04 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-05 17:04 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-05 05:43 . 2012-01-05 05:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-05 05:15 . 2012-01-05 05:15 -------- d-----w- c:\windows\MATS
2012-01-05 05:15 . 2012-01-05 05:15 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-01-05 05:08 . 2012-01-05 05:08 -------- d-----w- c:\documents and settings\Allen\Application Data\ElevatedDiagnostics
2012-01-05 03:19 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2012-01-05 03:19 . 2012-01-05 03:19 -------- d-----w- c:\program files\McAfee Online Backup
2012-01-05 03:18 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2012-01-05 03:17 . 2012-01-05 03:17 -------- d-----w- c:\documents and settings\Allen\Local Settings\Application Data\McAfee Anti-Theft
2012-01-05 03:16 . 2011-12-06 22:22 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2012-01-05 03:16 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-01-05 03:16 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-01-05 03:16 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-01-05 03:16 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-01-05 03:16 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-01-05 03:16 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-01-05 03:16 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-01-05 03:16 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-01-05 03:15 . 2012-01-05 03:17 -------- d-----w- c:\program files\Common Files\Mcafee
2012-01-05 03:15 . 2012-01-05 04:10 -------- d-----w- c:\program files\McAfee
2012-01-05 03:02 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe
2012-01-04 20:06 . 2012-01-04 20:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2011-12-27 16:10 . 2011-12-27 16:11 -------- d-----w- C:\WLMP
2011-12-27 14:22 . 2011-12-27 14:22 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-12-27 14:22 . 2011-12-27 14:22 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-22 23:07 . 2011-06-02 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2004-08-10 17:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-10 17:51 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-10 17:51 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-10 06:07 . 2011-11-10 06:07 151312 ----a-w- c:\windows\system32\winwb86.IME
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 17:51 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 17:51 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-10 17:51 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-12-31 05:30 . 2008-12-31 05:30 336 ----a-w- c:\program files\temp995.bat
2011-12-21 07:24 . 2011-08-06 21:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Allen\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-31 575488]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2008-5-25 124928]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ WINWB86.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Allen^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Allen\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-27 14:09 133104 ----atw- c:\documents and settings\Allen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 11:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [1/4/2012 10:18 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/4/2012 10:16 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [1/4/2012 10:19 PM 54776]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [1/19/2006 11:59 PM 8576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/4/2012 10:15 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/4/2012 10:15 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/4/2012 10:15 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [1/4/2012 10:16 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/4/2012 10:02 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/4/2012 10:16 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/4/2012 10:16 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/4/2012 10:16 PM 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2010 8:49 PM 136176]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?]
S3 fidcam;Unibrain MS 1394 based IIDC Digital Camera Driver;c:\windows\system32\drivers\fidcam.sys [11/17/2006 11:27 AM 48128]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2010 8:49 PM 136176]
S3 JRSKD24;JRSKD24;\??\c:\windows\system32\JRSKD24.SYS --> c:\windows\system32\JRSKD24.SYS [?]
S3 MatSvc;@%ProgramFiles%\Microsoft Fix it Center\MatsRes.dll,-9000;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/4/2012 10:16 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/4/2012 10:16 PM 87656]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [6/18/2009 2:13 AM 41600]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys --> c:\windows\system32\DRIVERS\PTDMBus.sys [?]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys --> c:\windows\system32\DRIVERS\PTDMMdm.sys [?]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys --> c:\windows\system32\DRIVERS\PTDMVsp.sys [?]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys --> c:\windows\system32\DRIVERS\PTDMWWAN.sys [?]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\d:\scpmpr5.sys --> d:\SCPMPR5.SYS [?]
S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [8/3/2004 11:09 PM 25344]
S3 USRSp50;USRSp50 NDIS Protocol Driver;c:\windows\system32\drivers\USRSp50.sys [7/10/2006 4:18 PM 17664]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 5:28 PM 369688]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-19 c:\windows\Tasks\fba_Daily Backup.job
- c:\program files\Softland\FBackup 4\fbaSchedStarter.exe [2011-06-03 20:47]
.
2012-01-19 c:\windows\Tasks\User_Feed_Synchronization-{DC0CEE94-D4A1-43E1-AC70-E0E93192A266}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: aol.com\free
Trusted Zone: imlive.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {1B5EE264-CCAB-48A4-B8DA-04D4BB004CC3} - hxxp://online.keb.co.kr/cab/miplatform/MiUpdater310-20061109_1035.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://download.softforum.co.kr/Published/XecureWeb/v7.2.2.7/xw_install.cab
DPF: {8FD68F8A-641E-4204-AE47-DD835C1AE756} - hxxp://ck.softforum.co.kr/CKKeyPro/keb/CKAppPro.cab
DPF: {A2A4336A-E49E-44E8-B152-E98E841CFA24} - hxxp://gisweb4.chzero.com/zeromap/ZeroMapUpdate.cab
DPF: {CDD6E613-CBEF-40C3-A140-4F5EEE0C4E00} - hxxp://ck.softforum.co.kr/phishingpro/current/CKPhishingPro.cab
FF - ProfilePath - c:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\g5i37zh8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: yahoo.homepage.dontask - true);user_pref(dom.disable_open_during_load, true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 13:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\¬ *ª*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1448)
c:\windows\system32\setuid.dll
.
Completion time: 2012-01-19 13:42:29
ComboFix-quarantined-files.txt 2012-01-19 18:42
.
Pre-Run: 3,306,172,416 bytes free
Post-Run: 3,417,821,184 bytes free
.
- - End Of File - - 461EA63D9F7668FE41E4DC555791580F

Attached Files


  • 0

#7
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Are you still experiencing any problems?
  • 0

#8
tech_addict

tech_addict

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
No.

After cleaning up redbook.sys with aswMBR.exe, even the intermittent, periodic automatic Internet transmission is gone (mentioned in the first post).

Other than Combofix.exe saying Rootkit problem, my laptop seems and feels super fine.
  • 0

#9
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ^_^

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files
Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall
You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated
It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.
  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?
If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Gammo :cool:
  • 0

#10
tech_addict

tech_addict

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The cleanup went smoothly. (expected).

Thanks for all the help, and best of luck to you too!
  • 0

#11
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP