30 replies to this topic

[jpshortstuff]

At what point does it crash, does the window say anything like "Stage 31" (for example), or is it nearer the start when it is setting up?

Open a Run box as before and try putting this in:
"%userprofile%\Desktop\ComboFix.exe" /killall /stepdel

[Laertes]

It doesn't say any stages just says "this scan can take approximately 10 minutes to complete"

[jpshortstuff]

I take it the above failed as well? Please also try running it in Safe Mode (restart computer and tap F8 before Windows loads). I will talk to the developer of ComboFix briefly as well.

[jpshortstuff]

If that still fails, we can do things the manual way, may take a teensy bit longer. First, I would be grateful if you could upload the ComboFix folder for analysis, so we can see what went wrong.

To do this, open another Run box, and use the following command:
@Zip -Sq "%userprofile%\Desktop\CF-Win7Crash" C:\ComboFix\*
This should create a zipped folder on your Desktop entitled CF-Win7Crash. Please upload that file here:
http://www.bleepingc...e.php?channel=4


Now, we can proceed with the manual fix.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  atapi.sy*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Laertes]

i left CF for two hours, no luck. I'll try safe-mode now. @Zip -Sq "%userprofile%\Desktop\CF-Win7Crash" C:\ComboFix\* doesn't work it says it's can't find @Zip

Edited by Laertes, 18 November 2009 - 02:04 PM.

[Laertes]

okay i ran Combofix in safe mode, it detected Rootkit activity restarted and completed the scan. Here is the log

ComboFix 09-11-18.06 - John 18/11/2009 20:14.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2431.1468 [GMT 0:00]
Running from: c:\users\John\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\John\Documents\BackupRegistry(20091108).reg
c:\users\John\Documents\VTMB Camarilla Edition 1.1.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 20:28 . 2009-11-18 20:28 -------- d-----w- c:\users\John\AppData\Local\temp
2009-11-18 20:28 . 2009-11-18 20:28 -------- d-----w- c:\users\Eran\AppData\Local\temp
2009-11-18 20:28 . 2009-11-18 20:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-18 20:12 . 2009-06-22 22:35 212000 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-11-18 20:12 . 2009-07-14 01:20 142416 ----a-w- c:\windows\system32\drivers\nvstor.sys
2009-11-18 20:12 . 2009-07-14 01:26 23616 ----a-w- c:\windows\system32\drivers\amdxata.sys
2009-11-18 20:10 . 2009-11-18 20:11 24576 d-----w- C:\32788R22FWJFW
2009-11-17 19:51 . 2009-11-17 19:54 -------- d-----w- C:\OTL
2009-11-17 09:31 . 2009-11-17 09:31 -------- d-----w- c:\users\John\AppData\Roaming\Atari
2009-11-16 16:07 . 2009-11-16 16:07 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2009-11-16 16:07 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-16 16:07 . 2009-11-16 16:07 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 16:07 . 2009-11-16 16:07 -------- d-----w- c:\programdata\Malwarebytes
2009-11-16 16:07 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-16 11:58 . 2009-11-16 11:58 -------- d-----w- c:\users\John\AppData\Roaming\Leadertech
2009-11-16 11:58 . 2009-11-16 11:58 -------- d-----w- c:\program files\Common Files\PocketSoft
2009-11-16 11:58 . 2002-02-27 18:50 197120 ----a-w- c:\windows\patchw32.dll
2009-11-16 11:53 . 2009-11-16 11:53 -------- d-----w- c:\program files\Atari
2009-11-15 21:29 . 2009-11-15 21:32 -------- d-----w- c:\users\John\AppData\Roaming\CreeperWorld
2009-11-15 21:29 . 2009-11-15 21:29 -------- d-----w- c:\users\John\AppData\Roaming\CreeperWorld.BA6B793AB2C9FDD744493F22666C1F8DFA806A5E.1
2009-11-15 21:29 . 2009-07-21 12:21 38208 ----a-w- c:\users\John\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-15 21:29 . 2009-07-21 12:21 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-15 21:29 . 2009-11-15 21:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-15 21:29 . 2009-11-15 21:29 -------- d-----w- c:\program files\KnuckleCracker
2009-11-13 11:58 . 2006-11-29 13:06 440080 ----a-w- c:\windows\system32\d3dx10.dll
2009-11-13 11:37 . 2009-07-22 14:07 77824 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\uheoruki.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-11-12 15:38 . 2009-11-12 15:39 4096 d-----w- c:\program files\ANNO 1602 - Gold Edition
2009-11-12 15:37 . 2009-11-12 15:37 4096 d-----w- c:\program files\Anno 1602
2009-11-12 15:32 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-11-12 10:04 . 2009-11-12 10:04 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-12 09:53 . 2009-11-12 10:04 -------- d-----w- c:\users\John\AppData\Roaming\ImgBurn
2009-11-12 09:48 . 2009-11-12 09:48 4096 d-----w- c:\program files\ImgBurn
2009-11-12 09:27 . 2009-11-12 09:27 -------- d-----w- c:\program files\Ubisoft
2009-11-12 09:15 . 2009-11-12 09:15 -------- d-----w- c:\program files\Bullfrog
2009-11-12 09:15 . 1996-11-05 16:13 299008 ----a-w- c:\windows\uninst.exe
2009-11-11 18:25 . 2009-11-11 18:26 -------- d-----w- c:\users\John\AppData\Roaming\Command & Conquer 3 Kane's Wrath
2009-11-11 14:03 . 2007-10-22 03:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2009-11-11 14:03 . 2007-10-22 03:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2009-11-11 14:03 . 2007-10-12 15:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2009-11-11 14:03 . 2007-10-02 09:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2009-11-11 14:03 . 2007-10-12 15:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-11-11 14:03 . 2006-11-29 13:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-10 18:52 . 2009-11-10 18:52 -------- d-----w- c:\windows\Sun
2009-11-10 10:18 . 2009-11-10 10:26 4096 d-----w- c:\program files\MagicISO
2009-11-08 20:05 . 2009-11-08 20:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-08 20:02 . 2009-11-08 20:02 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-11-08 19:40 . 2009-11-08 19:40 -------- d-----w- c:\program files\VUGames
2009-11-08 17:55 . 2006-10-26 19:58 30512 ----a-w- c:\windows\system32\mdimon.dll
2009-11-08 17:55 . 2006-10-26 19:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-08 17:50 . 2009-11-08 17:50 -------- d-----w- c:\program files\Microsoft.NET
2009-11-08 17:48 . 2009-11-08 17:48 4096 d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-08 17:47 . 2009-11-08 17:47 -------- d-----w- c:\users\John\AppData\Local\Microsoft Help
2009-11-08 17:46 . 2009-11-11 18:10 12288 d-----w- c:\programdata\Microsoft Help
2009-11-07 15:46 . 2009-11-07 15:46 4096 d-----w- c:\program files\Microsoft Works
2009-11-07 15:43 . 2009-11-07 17:10 4096 d-----w- c:\users\John\AppData\Roaming\Hamachi
2009-11-07 15:43 . 2009-11-07 15:43 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-11-07 15:43 . 2009-11-07 15:43 4096 d-----w- c:\program files\Hamachi
2009-11-07 15:39 . 1999-09-04 21:23 91136 ----a-r- c:\windows\system32\msls2.dll
2009-11-07 15:25 . 2009-11-07 15:26 12288 d-----w- c:\program files\Microsoft LifeCam
2009-11-07 15:24 . 2007-07-19 18:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-11-07 14:16 . 2009-11-07 14:16 -------- d-----w- c:\program files\EA Games
2009-11-07 14:16 . 2009-11-16 12:07 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-07 14:13 . 2009-11-07 14:13 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-06 18:45 . 2009-11-06 18:45 722736 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-06 18:37 . 2009-11-06 18:37 -------- d-----w- c:\users\John\AppData\Local\ElevatedDiagnostics
2009-11-06 18:32 . 2009-11-06 18:32 -------- d-----w- c:\programdata\FLEXnet
2009-11-06 18:26 . 2009-11-06 18:26 4096 d-----w- c:\program files\Adobe Media Player
2009-11-06 18:21 . 2009-11-06 18:21 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-11-06 18:19 . 2009-11-10 13:39 -------- d-----w- c:\users\John\AppData\Local\Adobe
2009-11-06 16:53 . 2009-11-06 16:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-06 16:19 . 2009-11-06 16:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-06 16:19 . 2009-11-06 16:19 -------- d-----w- c:\program files\Java
2009-11-06 16:15 . 2009-11-06 18:27 8192 d-----w- c:\program files\Common Files\Adobe
2009-11-06 16:14 . 2009-11-06 16:14 686080 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\FBDC.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-11-06 16:14 . 2009-11-06 16:14 568832 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\FBDC.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-11-06 16:14 . 2009-11-06 16:14 655872 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\FBDC.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-11-06 16:14 . 2009-11-06 16:14 583168 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\FBDC.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-11-06 16:14 . 2009-11-08 11:56 1 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-06 16:14 . 2009-11-06 16:14 224768 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\FBDC.tmp_\sun-pdfimport.oxt\msvcm90.dll
2009-11-06 16:13 . 2009-11-06 16:13 -------- d-----w- c:\users\John\AppData\Roaming\OpenOffice.org
2009-11-06 16:10 . 2009-11-08 17:45 4096 d-----w- c:\program files\OpenOffice.org 3
2009-11-05 18:49 . 2009-11-05 11:12 4096 d-----w- c:\windows\Panther
2009-11-05 17:29 . 2009-11-05 17:29 -------- d-----w- c:\users\John\AppData\Local\Totalidea_Software
2009-11-05 17:21 . 2009-11-05 17:21 -------- d-----w- c:\users\John\AppData\Local\Bart_Ubing
2009-11-05 16:58 . 2009-11-16 15:57 4096 d-----w- c:\program files\DAEMON Tools Toolbar
2009-11-05 16:56 . 2009-11-05 21:10 -------- d-----w- c:\users\John\AppData\Roaming\DAEMON Tools Lite
2009-11-05 16:53 . 2009-11-05 16:56 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-11-05 16:51 . 2009-11-05 16:51 -------- d-----w- c:\users\John\AppData\Local\Diagnostics
2009-11-05 16:46 . 2009-11-05 16:46 -------- d-----w- c:\programdata\Messenger Plus!
2009-11-05 16:44 . 2009-11-05 16:57 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-05 15:51 . 2009-11-16 14:25 -------- d-----w- c:\users\John\AppData\Roaming\skypePM
2009-11-05 15:50 . 2009-11-16 15:40 4096 d-----w- c:\users\John\AppData\Roaming\Skype
2009-11-05 15:50 . 2009-11-05 15:50 -------- d-----w- c:\program files\Common Files\Skype
2009-11-05 15:50 . 2009-11-05 15:50 -------- d-----r- c:\program files\Skype
2009-11-05 15:50 . 2009-11-05 15:50 4096 d-----w- c:\program files\Messenger Plus! Live
2009-11-05 15:29 . 2009-11-05 15:50 -------- d-----w- c:\programdata\Skype
2009-11-05 14:04 . 2009-11-05 14:04 -------- d-----w- c:\program files\uTorrent
2009-11-05 14:04 . 2009-11-16 11:45 12288 d-----w- c:\users\John\AppData\Roaming\uTorrent
2009-11-05 13:44 . 2009-11-18 17:38 -------- d-----w- c:\users\John\Tracing
2009-11-05 13:43 . 2009-11-06 14:50 4096 d-----w- c:\program files\Microsoft Silverlight
2009-11-05 13:42 . 2009-11-05 13:42 -------- d-----w- c:\program files\Microsoft
2009-11-05 13:42 . 2009-11-05 13:42 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-05 13:41 . 2009-11-05 13:43 4096 d-----w- c:\program files\Windows Live
2009-11-05 13:41 . 2009-11-05 13:41 -------- d-----w- c:\windows\PCHEALTH
2009-11-05 13:41 . 2009-11-15 21:29 40960 d-sh--w- c:\windows\Installer
2009-11-05 12:59 . 2009-11-05 12:59 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-05 12:49 . 2009-07-30 23:48 705536 ----a-w- c:\windows\system32\cohelper.dll
2009-11-05 12:49 . 2009-07-30 23:39 6136 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-11-05 12:49 . 2009-07-30 07:28 485920 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-05 12:49 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-05 12:49 . 2009-11-05 12:49 -------- d-----w- c:\windows\system32\RTCOM
2009-11-05 12:49 . 2009-11-05 12:49 -------- d-----w- c:\program files\Realtek
2009-11-05 12:43 . 2009-11-05 12:43 -------- d-----w- c:\windows\system32\Macromed
2009-11-05 12:25 . 2009-11-14 23:41 4096 d-----w- c:\users\John\AppData\Local\Microsoft Games
2009-11-05 12:16 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-05 12:16 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-05 12:16 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-05 12:16 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-05 12:16 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-05 12:16 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-05 12:16 . 2009-09-15 11:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-05 12:16 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-05 12:16 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-05 12:16 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-05 12:16 . 2009-11-05 12:16 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 21:39 . 2009-11-08 21:38 4096 d-----w- c:\program files\K-Lite Codec Pack
2009-11-08 17:51 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-11-05 11:32 . 2007-06-14 14:24 871936 ----a-w- c:\windows\system32\drivers\WlanUZG.sys
2009-11-05 10:53 . 2009-11-05 10:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-04 18:00 . 2009-11-08 21:38 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-30 762208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-06 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [05/11/2009 12:16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [05/11/2009 12:16 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [05/11/2009 12:16 53328]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/11/2009 16:07 269648]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [18/08/2009 11:29 1529728]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [16/11/2009 16:07 19160]
R3 XG762_VS;ZyXEL 802.11g XG762 1211 Vista Driver;c:\windows\System32\drivers\WlanGZG.sys [20/08/2007 02:00 873472]
S3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ;c:\windows\System32\drivers\nvmf6232.sys [31/07/2009 00:12 287392]
S3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\System32\drivers\WlanUZG.sys [14/06/2007 14:24 871936]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Irmon
Nla
Ntmssvc
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
AppMgmt
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\uheoruki.default\
FF - component: c:\program files\Mozilla Firefox 3.6 Beta 1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\uheoruki.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-11-18 20:31
ComboFix-quarantined-files.txt 2009-11-18 20:31

Pre-Run: 158,398,656,512 bytes free
Post-Run: 158,562,988,032 bytes free

- - End Of File - - 9193B98FBA622B640785FFA9CDC1D2CB

[jpshortstuff]

Aha, looks like we are making progress now. How is the computer running, are you still having Firefox problems? Please run GMER again and post its log, so we can see whether the Rootkit is completely gone. Thanks.

[Laertes]

Nope, no problems now, however GMER doesn't like me and crashes halfway through the scan. I get one of those "This program has stopped working close now"

Attached Thumbnails

• 

Edited by Laertes, 19 November 2009 - 03:44 AM.

[jpshortstuff]

What happens if you uncheck all the boxes apart from "Devices", does it still crash? If so, please try the scan below.

Please download Sysprot Antirootkit from >>>HERE<<<

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
• In the Write to log box select ALL ITEMS
• Look near the bottom left, and Check Hidden Objects Only (if it doesn't work first time, try again with this unchecked)
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  
• Open the text file and copy/paste the log here.

[jpshortstuff]

Whoops, hit post early by accident. For a second, general opinion, please also run the online AV scan below. We just need to make sure the Rootkit you had didn't bring any firends.

(To run this scan, please open Internet Explorer in Administrator mode by right-clicking it and selecting "Run As Administrator". It is important to close the Window once the scan is complete to avoid browsing with full Admin access).

Run the following scan: Eset Online Scanner
(you will need Internet Explorer to run this scan)

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

[Laertes]

Here ya go.

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

No Hidden Processes found

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\spgv.sys
Service Name: ---
Module Base: 8983A000
Module End: 8992D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 968F8000
Module End: 96903000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 96903000
Module End: 9690C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 9690C000
Module End: 9691D000
Hidden: Yes

Module Name: C:\Windows\system32\drivers\spsys.sys
Service Name: ---
Module Base: 9C180000
Module End: 9C1EA000
Hidden: Yes

Module Name: C:\Windows\system32\DRIVERS\WUDFRd.sys
Service Name: WUDFRd
Module Base: 9A17F000
Module End: 9A1A0000
Hidden: Yes

Module Name: \??\C:\Users\John\AppData\Local\Temp\kxldypog.sys
Service Name: kxldypog
Module Base: 9A1A0000
Module End: 9A1B7000
Hidden: Yes

********************************************************************************
**********
********************************************************************************
**********
No SSDT Hooks found

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
No IRP Hooks found

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: JOHN-PC.LAN:49434
Remote Address: O2WIRELESSBOX.LAN:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-PC.LAN:49430
Remote Address: O2WIRELESSBOX.LAN:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-PC.LAN:49401
Remote Address: O2WIRELESSBOX.LAN:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-PC.LAN:49399
Remote Address: A92-122-126-242.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: 1888 (PID)
State: ESTABLISHED

Local Address: JOHN-PC.LAN:49397
Remote Address: O2WIRELESSBOX.LAN:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: JOHN-PC.LAN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-PC:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2824 (PID)
State: LISTENING

Local Address: JOHN-PC:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2824 (PID)
State: LISTENING

Local Address: JOHN-PC:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2824 (PID)
State: LISTENING

Local Address: JOHN-PC:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2768 (PID)
State: LISTENING

Local Address: JOHN-PC:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2824 (PID)
State: LISTENING

Local Address: JOHN-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 528 (PID)
State: LISTENING

Local Address: JOHN-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 536 (PID)
State: LISTENING

Local Address: JOHN-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 988 (PID)
State: LISTENING

Local Address: JOHN-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 816 (PID)
State: LISTENING

Local Address: JOHN-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 468 (PID)
State: LISTENING

Local Address: JOHN-PC:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-PC:WSD
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-PC:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-PC:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3852 (PID)
State: LISTENING

Local Address: JOHN-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: JOHN-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 768 (PID)
State: LISTENING

Local Address: JOHN-PC.LAN:65379
Remote Address: NA
Type: UDP
Process: 988 (PID)
State: NA

Local Address: JOHN-PC.LAN:50056
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC.LAN:SSDP
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC.LAN:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: JOHN-PC.LAN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: JOHN-PC:50057
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC:SSDP
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC:52142
Remote Address: NA
Type: UDP
Process: 1136 (PID)
State: NA

Local Address: JOHN-PC:52140
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC:50058
Remote Address: NA
Type: UDP
Process: 1136 (PID)
State: NA

Local Address: JOHN-PC:LLMNR
Remote Address: NA
Type: UDP
Process: 1304 (PID)
State: NA

Local Address: JOHN-PC:5005
Remote Address: NA
Type: UDP
Process: 3852 (PID)
State: NA

Local Address: JOHN-PC:5004
Remote Address: NA
Type: UDP
Process: 3852 (PID)
State: NA

Local Address: JOHN-PC:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1136 (PID)
State: NA

Local Address: JOHN-PC:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 3384 (PID)
State: NA

Local Address: JOHN-PC:WS-DISCOVERY
Remote Address: NA
Type: UDP
Process: 1136 (PID)
State: NA

Local Address: JOHN-PC:TEREDO
Remote Address: NA
Type: UDP
Process: 988 (PID)
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\$WINDOWS.~Q\DATA\Users\John\AppData\Roaming\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\$WINDOWS.~Q\DATA\Users\John\AppData\Roaming\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied

[jpshortstuff]

That scan looks good. How about ESET?

[Laertes]

ESET Log File

C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.PV trojan
C:\System Volume Information\_restore{66093D36-8F93-4B8E-836C-7747BB0F5697}\RP9\A0006044.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{66093D36-8F93-4B8E-836C-7747BB0F5697}\RP9\A0006129.exe probably unknown NewHeur_PE virus
C:\System Volume Information\_restore{66093D36-8F93-4B8E-836C-7747BB0F5697}\RP9\A0006248.exe Win32/Toolbar.AskSBar application
C:\System Volume Information\_restore{66093D36-8F93-4B8E-836C-7747BB0F5697}\RP9\A0006337.exe probably a variant of Win32/TrojanDownloader.Agent trojan

[jpshortstuff]

Hi,

That all looks fine, the items will be cleared now when we uninstall ComboFix

Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
  
  
• Consider installing a third-party firewall like Comodo, Outpost or Kerio.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

[Laertes]

Thanks for all your help ! System is and clean, once more thanks for all the support and advice ! Carry on the good work ! -John