Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Cloud AV 2012 Malware Infection

This is a discussion on Cloud AV 2012 Malware Infection within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hello, About a month ago, my PC became infected with the Cloud AV 2012 virus. I use Mozilla Firefox as


Closed Thread
 
Thread Tools Search this Thread
Old 01-31-2012, 05:12 AM   #1
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Hello,

About a month ago, my PC became infected with the Cloud AV 2012 virus. I use Mozilla Firefox as my browser. I started receiving alert pop-ups, and noticed a new icon in my tray. I also found that searching through Google only resulted in re-directs.

Eventually, I could not use Firefox, as I get an error screen 'The proxy server is refusing connections'. I then opened Google Chrome(which was already installed). This worked for a short time, while I tried to find answers, but soon I was receiving 'ATTACK' alerts from MS Internet Security 2012. Basically the same messages and screens.

Needless to say, my PC has been rendered useless on the internet. Even offline, it seems very sluggish, even for an older PC.

Technically, it has a legal copy of XP installed. Hardware is about ten years old. You will find BitTorrent installed, but I haven't used P2P in quite some time, so I don't believe that the problem came from an infected file.

I believe my AV software was expired. My bad....any recommendations on GOOD AV software would be appreciated.

Glad I found your site. It took a long time to wade through all of the Spyware software, only to find that there are a lot of companies that will be happy to sell you software that is basically the same malware that you already have.

Thanks in advance.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 20:14:30 on 2012-01-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -5:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {806ED0B3-FFA4-010C-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {806ED0B3-FFA4-010E-0D24-347CA8A3377C}
AV: avast! antivirus 4.8.1368 [VPS 091213-0] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [HP Lamp] "c:\program files\hewlett-packard\hp precisionscan\precisionscan\HPLamp.exe"
mRun: [QBCD Autorun] "E:\autorun.exe" restart QB_SEQUENCE first
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [EPSON Stylus C82 Series] "c:\windows\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE" /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0357.1\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [Smad] "c:\windows\system32\config\systemprofile\local settings\application data\sanctionedmedia\smad\Smad.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130879458448
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130881033786
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://fcl.digitaleventpics.com/EcEngine/ImageUploader4.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.5046180556
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxp://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\jyzryl53.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63859
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-15 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-15 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-6-15 66048]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\kodak\digital display\orbkodaklauncher\DllStartupService.exe [2008-3-6 81920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-13 24652]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [2003-10-3 84480]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-10-15 138680]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [2003-10-3 18432]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-15 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-10-15 352920]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys --> c:\windows\system32\drivers\plturbh.sys [?]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys --> c:\windows\system32\drivers\plturbo.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2007-6-20 167808]
.
=============== Created Last 30 ================
.
2012-01-27 05:04:01 577 ----a-w- c:\documents and settings\all users\application data\gbamaaa.tmp
2012-01-10 11:54:04 852 ----a-w- c:\documents and settings\all users\application data\mqjkaaa.tmp
2012-01-10 11:53:09 814 ----a-w- c:\documents and settings\all users\application data\nqjkaaa.tmp
2012-01-10 11:43:45 820 ----a-w- c:\documents and settings\all users\application data\plplaaa.tmp
2012-01-10 11:42:51 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth
2012-01-10 11:37:17 827 ----a-w- c:\documents and settings\all users\application data\olplaaa.tmp
2012-01-10 05:30:11 839 ----a-w- c:\documents and settings\all users\application data\lpemaaa.tmp
2012-01-10 05:26:41 890 ----a-w- c:\documents and settings\all users\application data\kpemaaa.tmp
2012-01-06 07:07:15 872 ----a-w- c:\documents and settings\all users\application data\ucgmaaa.tmp
2012-01-06 07:01:42 787 ----a-w- c:\documents and settings\all users\application data\vcgmaaa.tmp
2012-01-03 14:00:57 863 ----a-w- c:\documents and settings\all users\application data\akjlaaa.tmp
2012-01-03 12:21:14 848 ----a-w- c:\documents and settings\all users\application data\qobmaaa.tmp
2012-01-03 06:32:52 834 ----a-w- c:\documents and settings\all users\application data\yyqlaaa.tmp
2012-01-03 04:55:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-03 04:55:44 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-03 02:08:05 843 ----a-w- c:\documents and settings\all users\application data\imslaaa.tmp
2012-01-03 01:27:40 -------- d-----w- C:\sh4ldr
2012-01-03 01:27:40 -------- d-----w- c:\program files\Enigma Software Group
2012-01-03 01:23:51 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-03 01:22:55 -------- d-----w- c:\program files\common files\Wise Installation Wizard
.
==================== Find3M ====================
.
2011-12-29 11:03:44 823 ----a-w- c:\documents and settings\all users\application data\cnvlaaa.tmp
2011-12-27 07:29:58 839 ----a-w- c:\documents and settings\all users\application data\sztlaaa.tmp
2011-12-23 13:42:27 838 ----a-w- c:\documents and settings\all users\application data\ukmlaaa.tmp
2011-12-20 16:57:42 813 ----a-w- c:\documents and settings\all users\application data\kxklaaa.tmp
2011-12-16 05:12:44 872 ----a-w- c:\documents and settings\all users\application data\maxlaaa.tmp
2011-12-09 11:25:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:17:17.26 ===============
Attached Files
File Type: zip attach.zip (3.8 KB, 22 views)
jmccull1 is offline  
Sponsored Links
Advertisement
 
Old 02-02-2012, 04:53 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Quote:
Technically, it has a legal copy of XP installed
What do you mean technically?

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

I need to see a gmer log in order to help you.

Download GMER Rootkit Scanner from here and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • First, gmer will run a short, initial scan.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


------------------------------------------------------

Check for additional security risks:
  • Please download CKScanner© by askey127 and save to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
  • Post the contents of ckfiles.txt in your next reply, it is located on your desktop.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-04-2012, 09:37 AM   #3
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Hello, Chemist.

Thank you for your response to my issue. The infected PC is out effectively out of commission on the internet, so I am bouncing between another computer, zipping files and running them on the infected one, and uploading through the second computer. It's taking longer than it should, but I'm on it.

I ran the GMER software overnight, but it would not let me save the log(says scan was interrupted) so I am running again today while at work. Hopefully it will work, and I will be uploading results tonight or tomorrow morning.

Thanks again.
jmccull1 is offline  
Sponsored Links
Advertisement
 
Old 02-08-2012, 11:04 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, jmccull1?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-09-2012, 08:56 AM   #5
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Chemist,

I have tried two further attempts to run the GMER application...with no success. Each time, I end up getting the message "application failed to install properly (0XC0000017). Click OK to terminate application". There is no opportunity to save the results. I was hoping that, perhaps, it was a time out issue after the application stopped. The last time I ran it, I babysat the application while it ran for nearly 3 hours, but still had not finished, and same results.

Would it be beneficial to be present when the app fails? I thought that it would be complete in the 3 hour window, and could not wait any longer.

Thanks again for your help. Any further instruction would be appreciated.
jmccull1 is offline  
Old 02-09-2012, 08:59 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello jmccull1. You're welcome. Let's try RKU:
  • Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close then Yes
  • Copy the entire contents of the report and paste it in your next reply.
Note: If you get a message 'Rootkit Unhooker has detected parasite inside itself!
It is recommended to remove parasite, okay?', click Okay

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-13-2012, 04:20 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, jmccull1?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-14-2012, 04:57 AM   #8
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Hello, Chemist.

Thanks for hanging in there while I download/transfer/run apps, etc. between two computers via thumb drive.

I ran Rootkit Unhooker per your instruction. When I ran the scan, I first received a dialog box stating that RKU was assembling a list of files.

There was no indication whether it was progressing, or if it was not working. I let it run for 8 hours(overnight) and finally 'cancelled' it(only option). However, it did let me save it, so perhaps it did it's job. Regardless, I am posting the log here.

I will also attach the results of the GMER log(incomplete also?) that I was able to save from last week. If you recall, it seemed to stop working(multiple times) three hours into the scan.

Thirdly, I will post the results of the CKFILES scan, per your instruction.

Hopefully, you can make sense from some of these reports.

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3903488 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 45.23 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF8404000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 1277952 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 45.23 )
0xF85CB000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEEDB7000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF81FD000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEEEB6000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEE7A6000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF3CB000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xEDA57000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xEEF79000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 241664 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xF8379000 C:\WINDOWS\System32\DRIVERS\USR1807A.sys 225280 bytes (U.S. Robotics Corporation, 1807 hardware driver)
0xEEF34000 C:\WINDOWS\System32\Drivers\Udfreadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF8273000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8767000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEE979000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF859E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEEE27000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEEE8E000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF8711000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEDC00000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF8329000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF83CC000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF8306000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEEE52000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEED96000 C:\WINDOWS\System32\Drivers\aswSP.SYS 135168 bytes (ALWIL Software, avast! self protection module)
0xF8694000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xEEFD4000 C:\WINDOWS\System32\Drivers\pwd_2K.SYS 131072 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF8737000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF83B0000 C:\WINDOWS\System32\DRIVERS\USRpdA.sys 114688 bytes (U.S. Robotics Corporation, U.S. Robotics port driver)
!!!!!!!!!!!Hidden driver: 0xEEE74000 00004804 106496 bytes
0xF8584000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF834D000 C:\WINDOWS\system32\drivers\ac97intc.sys 98304 bytes (Intel Corporation, Intel(r) Integrated Controller Hub Audio Driver)
0xF86F9000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEED7E000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF86E1000 IdeChnDr.sys 98304 bytes (Intel Corporation, Intel Application Accelerator Driver)
0xF86B4000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF866B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF82EF000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEEA96000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 90112 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xF86CC000 epstwnt.mpd 86016 bytes (Shuttle Technology. , Epst Miniport Driver(Version 2.19.01))
0xEE964000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF8365000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF83F0000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xEEF0F000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF8658000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8682000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xEE474000 C:\WINDOWS\system32\drivers\tmcomm.sys 73728 bytes (Trend Micro Inc., TrendMicro Common Module)
0xEEB24000 C:\WINDOWS\system32\DRIVERS\EAPPkt.sys 69632 bytes (Windows (R) 2000 DDK provider, NDIS User mode I/O Driver)
0xF8756000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF82DE000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8846000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8856000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF0820000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8032000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF87F6000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8A26000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8866000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF87D6000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8886000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8816000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xEF8BD000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF87C6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8A06000 C:\WINDOWS\System32\DRIVERS\p3.sys 45056 bytes (Microsoft Corporation, Processor Device Driver)
0xF8876000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF02A5000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)
0xF87B6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF89C6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF88B6000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8A16000 C:\WINDOWS\System32\DRIVERS\AN983.sys 36864 bytes (ADMtek Incorporated., ADMtek AN983/AN985/ADM951X NDIS5 Driver)
0xF11DF000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF87E6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xEFA15000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8896000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEF8ED000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF8806000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF0295000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8B16000 C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 32768 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xF8B56000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF1814000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8B4E000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF8B6E000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF03AC000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF8A36000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF03BC000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8B66000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8B5E000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8B76000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF1824000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF0374000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 20480 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF1834000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF181C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF8A3E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8B86000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8B8E000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF8B7E000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8B46000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xEF80C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xEE9AA000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xF8BCA000 IdeBusDr.sys 16384 bytes (Intel Corporation, Intel Application Accelerator Driver)
0xF163C000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF8C46000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEEB89000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8560000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xEE496000 C:\WINDOWS\System32\Drivers\Stltrk2k.SYS 16384 bytes (SCM Microsystems Inc., Support Driver for SCM Win2K Applications)
0xF8BC6000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF0A6A000 C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS 12288 bytes (B.H.A Co.,Ltd., CD-ROM Filter Driver for Windows2000/XP)
0xF8CA2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xEFE1D000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEFE15000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF855C000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF055F000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8D1C000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8CBC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8D72000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8D26000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8CBA000 IntelIde.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8CB6000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8D1E000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8D12000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8D20000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8CFC000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8D54000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8CF6000 C:\WINDOWS\System32\DRIVERS\USRoslbA.sys 8192 bytes (U.S. Robotics Corporation, WDM kernel interface)
0xF8CB8000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8EDA000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8EE8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8DAA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [afd.sys]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B75C, Type: Inline - RelativeJump 0x804E275C-->804E2747 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7BC, Type: Inline - RelativeJump 0x804E27BC-->95B9EED9 [unknown_code_page]
ntoskrnl.exe+0x0000BA94, Type: Inline - RelativeCall 0x804E2A94-->FE1E1973 [unknown_code_page]
ntoskrnl.exe-->KeFindConfigurationNextEntry, Type: Inline - RelativeJump 0x806AB2E5-->806AB297 [ntoskrnl.exe]
[1500]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C8197B0-->00B3483C [unknown_code_page]
[1500]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->5CB77774 [shimeng.dll]
[1500]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[644]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->00380002 [unknown_code_page]
[644]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->00380000 [unknown_code_page]
[812]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C8197B0-->0063483C [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00F0000C [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00F1000A [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00F2000A [unknown_code_page]
____________________________________________________

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.RCAPTB
----- EOF -----

____________________________________________________
Attached Files
File Type: txt Gmer.txt (15.5 KB, 23 views)
jmccull1 is offline  
Old 02-14-2012, 07:33 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jmccull1. You never answered my question:

Quote:
Technically, it has a legal copy of XP installed
What do you mean technically?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-14-2012, 01:25 PM   #10
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



'Technically' meaning from a technical standpoint regarding my computer.

In other words, I have a purchased, licensed copy of Microsoft Windows XP installed.

Thanks.
jmccull1 is offline  
Old 02-14-2012, 01:56 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jmccull1.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-18-2012, 02:12 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, jmccull1? Any trouble with those last instructions?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-19-2012, 08:48 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-21-2012, 07:30 AM   #14
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



This is a continuation of a previous CLOSED thread with Chemist:

https://www.techsupportforum.com/foru...on-627743.html

Chemist:
I have tried multiple attempts at running the last app from your instruction. I keep getting to a point with ComboFix where it says that it is preparing a log, and advises not to run programs until it is finished. Hours go by, with no change. It does not indicate anything further, with no apparent log produced.

I have carefully backed up about 100gB of data onto a separate external drive.

Any other instruction would be helpful, but the effort is wearing me down. And due to having to work between two computers, it takes a lot of time between posts, with no resolution.

Does it sound like this is a fixable problem?

I am running ComboFix again, but don't expect success this time again. If it produces a log, I will post it.

Thanks.
jmccull1 is offline  
Old 02-22-2012, 05:56 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jmccull1. Sorry you are having trouble. Unfortunately ComboFix is the only tool to effectively cure the infection you have, which is a really nasty one.

When ComboFix gets to the end and appears to hang, launch Task Manager by pressing CTRL + ALT + DEL

Do NOT 'End Process' on CF####.3XE

Do 'End Process' on filenames like

- findstr
- peV
- sed
- grep
- or any file that has the extension *.3XE except the one noted above.

End each once only. ComboFix should complete and produce a log.

If not...

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\ComboFix\ComboFix.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-23-2012, 10:31 AM   #16
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Chemist,

I ran ComboFix a few times in the last week. I was not able to get it to produce a log previously, however, last night it did produce one.

ComboFix insists that I have Antivira AV scanners running(was not running, as far as I could tell). I went as far as uninstalling Antivira, and still am prompted to de-activate. ComboFix allows the program to run, but it says with 'limited functionality'. I allowed it to run, regardless.

I will be to a clean PC this evening, and will post the available log that ComboFix produced.

Thanks for hanging in there with me.
jmccull1 is offline  
Old 02-24-2012, 06:10 AM   #17
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Chemist,

Here is the ComboFix log.

Thanks.
Attached Files
File Type: txt ComboFix log.txt (22.1 KB, 22 views)
jmccull1 is offline  
Old 02-24-2012, 07:55 AM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jmccull1. No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

Your machine is still badly infected. This will require several more rounds to completely eradicate.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist peek.txt del /q peek.txt
copy /y c:\windows\ServicePackFiles\i386\winlogon.exe c:\windows\system32\dllcache
copy /y c:\windows\ServicePackFiles\i386\svchost.exe c:\windows\system32\dllcache
copy /y c:\windows\ServicePackFiles\i386\explorer.exe c:\windows\system32\dllcache
Nircmd wait 2000
dir /s c:\winlogon.exe > peek.txt
dir /s c:\svchost.exe > peek.txt
dir /s c:\explorer.exe > peek.txt
dir /s c:\cmldr >> peek.txt
dir /s c:\afd.sys >> peek.txt
notepad peek.txt
del %0
Save this Notepad file as copy.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on copy.bat to run it. A Notepad file will open. Copy that information into your next reply, please.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 02-26-2012, 04:24 PM   #19
Registered Member
 
Join Date: Jan 2012
Posts: 17
OS: windows xp



Volume in drive C is Primary
Volume Serial Number is 14E8-0A76

Directory of c:\WINDOWS

04/13/2008 07:12 PM 1,058,304 explorer.exe
1 File(s) 1,058,304 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

08/04/2004 02:56 AM 1,032,192 explorer.exe
1 File(s) 1,032,192 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c95bd83d2a268baf2b92cca324c3120b

08/04/2004 02:56 AM 1,032,192 explorer.exe
1 File(s) 1,032,192 bytes

Directory of c:\WINDOWS\system32\dllcache

04/13/2008 07:12 PM 1,058,304 explorer.exe
1 File(s) 1,058,304 bytes

Total Files Listed:
5 File(s) 5,214,720 bytes
0 Dir(s) 102,323,048,448 bytes free
Volume in drive C is Primary
Volume Serial Number is 14E8-0A76
Volume in drive C is Primary
Volume Serial Number is 14E8-0A76

Directory of c:\WINDOWS\$hf_mig$\KB2509553\SP3QFE

10/16/2008 10:07 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\$hf_mig$\KB2592799\SP3QFE

08/17/2011 08:41 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\$NtUninstallKB2509553$

08/14/2008 05:04 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\$NtUninstallKB2592799$

10/16/2008 09:43 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 02:19 PM 138,112 afd.sys
1 File(s) 138,112 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

08/04/2004 01:14 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c95bd83d2a268baf2b92cca324c3120b

08/04/2004 01:14 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\system32\dllcache

08/17/2011 08:49 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Directory of c:\WINDOWS\system32\drivers

08/17/2011 08:49 AM 138,496 afd.sys
1 File(s) 138,496 bytes

Total Files Listed:
9 File(s) 1,246,080 bytes
0 Dir(s) 102,323,048,448 bytes free
jmccull1 is offline  
Old 02-26-2012, 05:38 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, jmccull1. ComboFix is updated regularly. Delete ComboFix from your desktop.

------------------------------------------------------

Download ComboFix and the Microsoft file to a USB drive on another computer and transfer the files to your desktop.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download: Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install - Microsoft Download Center - Download Details

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Google Redirecting Virus (reposting after 2 weeks)
So when i ever i click on a link from a google search i am redirected to a new website. I haven't recently downloaded anything that i think maybe the cause. My computer is just an old hp running xp with 768mb ram. The problem happens in all browsers but the ones i use most are Firefox and...
blackbrawler Inactive Malware Help Topics 23 03-20-2011 07:12 PM
Browsers inoperable after malware infection.
Hello everyone and thank you in advance for taking your time to help me with my problem. I am trying to fix my brothers HP mini 110 netbook with the main problem being that it would not connect to the internet. I restored the internet connection by doing the following: The internet...
GroverCleveland Virus/Trojan/Spyware Help 2 02-15-2011 05:46 AM
Mac malware threat still tiny, report suggests
Virus writers finally paid some attention to Apple Macs in 2010, with several new types of malware appearing to puncture the myth of the platform’s security invulnerability, security company Intego has reported in its annual review. The numbers are still tiny and hard to meaningfully...
Glaswegian Computer Security News 0 01-20-2011 12:02 PM
Getting everything back after malware infection -
Not sure if this is the place to post this, but if it isn't I am sure the mods will move it and let me know. (Maybe it isn't a Windows 7 problem??) I have been reading through some of the problems that people have had or are having with the rogue trojan virus System Tool and described in...
WesternGuy Windows 7 , Windows Vista Support 2 01-16-2011 12:12 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:14 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts