• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1009
  • Last Modified:

xp infection

I ran anti malware bytes and super anti spyware which cleaned a couple of things.
I had to run combo fix in safe mode.  In normal mode it starts and disappears,
but now, after having run it in safe mode it seems to run in normal mode fine.
I ran hijack this and deleted anything I could not recognize.
hitman pro wanted my to replace a driver but wanted me to pay for it,
maybe I should do that?

sfc /scannow is broken...  some certificate is missing that I need to fix according to the ms kb.  i think i may have killed it (the certificate) when I cleaned up with hi jack this.

The browsers are still compromised - if you google for hi jack this and click a link you go other places.

combo fix log attached.

thanks,
gsgi


ComboFix 11-04-20.04 - default 04/21/2011  11:27:28.1.2 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1911.1539 [GMT -4:00]
Running from: E:\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\test.txt
c:\windows\system32\AutoRun.inf
c:\windows\system32\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-21 to 2011-04-21  )))))))))))))))))))))))))))))))
.
.
2011-04-21 14:39 . 2011-04-21 14:39      16968      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2011-04-21 14:38 . 2011-04-21 14:38      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-21 14:12 . 2011-04-21 14:12      --------      d-----w-      c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2011-04-21 14:12 . 2011-04-21 14:12      --------      d-----w-      c:\program files\SUPERAntiSpyware
2011-04-21 14:00 . 2011-04-21 14:00      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\default\Application Data\Malwarebytes
2011-04-21 13:47 . 2010-04-29 19:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for Weatherbug
2011-04-20 20:51 . 2011-04-21 14:30      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      18944      ----a-r-      c:\documents and settings\default\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-04-20 20:51 . 2011-04-20 20:51      11264      ----a-r-      c:\documents and settings\default\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A1630.exe
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\AWS
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for ShopToWin
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\FCSB000063127
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Shop to Win 11
2011-04-20 20:51 . 2011-04-20 20:50      723294      ----a-w-      c:\windows\unins000.exe
2011-04-20 20:50 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Quick Web Player
2011-04-20 20:27 . 2011-04-20 20:27      --------      d-----w-      c:\windows\system32\wbem\Repository
2011-04-04 13:06 . 2011-04-04 13:06      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\Identities
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-04-14 08:00      692736      ----a-w-      c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 08:00      420864      ----a-w-      c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 08:00      1857920      ----a-w-      c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 08:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 08:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 08:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 08:00      385024      ---ha-w-      c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 08:00      455936      ----a-w-      c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 08:00      357888      ----a-w-      c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-11-02 16:20      5120      ----a-w-      c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 08:00      290432      ----a-w-      c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 08:00      270848      ----a-w-      c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 08:00      186880      ----a-w-      c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 08:00      978944      ----a-w-      c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-14 08:00      974848      ----a-w-      c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-04-14 08:00      2067456      ----a-w-      c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-14 08:00      677888      ----a-w-      c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-19 2363392]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-10-27 1861944]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2010-10-28 180224]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-01 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-01 144920]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-10-23 563736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MPNNET2"="c:\mpn\ECLIPSENet32.exe" [2007-08-15 409600]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2010-10-20 3514368]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2010-11-3 292296]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-05-19 00:56      2363392      ----a-w-      c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\HP.SkyRoom.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics receiver\\rgreceiver.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender_gui.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [11/10/2010 12:43 PM 20600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [3/3/2010 3:52 PM 124472]
S2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [11/3/2010 4:32 PM 143360]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/24/2010 9:29 PM 635416]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
S2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [7/24/2010 9:38 PM 379904]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 1:00 AM 316992]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [7/24/2010 9:39 PM 2320920]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/24/2010 9:29 PM 1684736]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [7/24/2010 9:29 PM 167080]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [7/24/2010 9:29 PM 215040]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/13/2009 1:13 PM 1120752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-19 00:54      451872      ----a-w-      c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {681B10C1-4FBF-4255-A2A9-F8876509CA2D} = 4.2.2.2,4.2.2.5
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\ypyw08hv.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Shop to Win: {ebcfd043-312f-448d-96f4-25ba0f1ea646} - %profile%\extensions\{ebcfd043-312f-448d-96f4-25ba0f1ea646}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 11:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(284)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-21  11:29:36
ComboFix-quarantined-files.txt  2011-04-21 15:29
.
Pre-Run: 135,044,329,472 bytes free
Post-Run: 135,245,352,960 bytes free
.
- - End Of File - - A45DB251C860A8160E66743CD1B3EB68
0
gsgi
Asked:
gsgi
  • 11
  • 4
  • 3
  • +4
3 Solutions
 
bigg_oilCommented:
download the iso and run the disk Kaspersky rescue disk

http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/
0
 
Hutch_77Commented:
I believe he alredy used combofix..

Here is what I would try and do first.  Log in with a different profile see if you get the same issues.
If you are golden Run malwarebytes and for good measures combofix again.  Reboot and log in as other user and see what happens.

You may also want to check the settings in IE to not use proxy and set to auto detect.  You may also want to check the host file for anything abnormal in it.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Personally, I would do the following:-

1. Remove all personally data to a flash drive and removal hard drive.
2. Format and Recover/Re-install the operating system
3. This will be much better, than trying to limp on recovering and trying to fix stuff!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
raooolCommented:
I'd reset your TCP/IP stack (from command prompt, type netsh int ip reset c:\logname.log) and run a safe mode VipreRescue scan. (http://live.sunbeltsoftware.com). Will likely need a Windows Repair (boot from XP disk, repair existing installation) to restore sfc.

hanccocka's suggestion is also valid - I always cap time spent fighting this stuff at 2 hours before punting to a clean install.
0
 
phototropicCommented:
@dmf415,

If you actually run Combofix, you will find that the second window you see says the following:

"...The following websites are not in any way affiliated to Combofix:

www.combofixdownload.org
www.combofix.org
www.combofixdownload.biz

If you have purchased anything from them, I suggest you instruct your financier to cancel the transaction..."

Combofix should be downloaded from here:

http://www.bleepingcomputer.com/download/anti-virus/combofix

or from here:

http://www.infospyware.net/antimalware/combofix/

There is a discusion about these rogue sites here:

http://www.bleepingcomputer.com/forums/topic214023.html

Do not recommend these sites here on ee.  The developer of Combofix has said as much.

 
@gsgi,

Your Combofix log contains a lot of adware:  Shop to Win;  Weatherbug; etc. You should remove this via HJT or through Adde/Remjove Programs.
If your browser is still redirecting, I would
1) Run TDSSKiller - no sign of this in the log, but it often helps with redirects:

http://support.kaspersky.com/viruses/solutions?qid=208280684

2) Reset your hosts file using Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

3) Run the Winsockxpfix:

http://www.snapfiles.com/get/winsockxpfix.html

Good luck!!!
0
 
rpggamergirlCommented:
Try running TDSSKiller as already suggested and post the log.
http://support.kaspersky.com/viruses/solutions?qid=208280684


There's also an article about google redirect here.
“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html


The comboFix log that you posted is from a safe mode scan.... can you post the ComboFix log from normal mode?
0
 
gsgiAuthor Commented:
Well it is the c:\windows\system32\drivers\volsnap.sys "catch me if you can" TDSS exploit.  When you guys recommend using tdsskiller please also mention to rename it to [random].com and to run it from the desktop.  i tried to run it but it (tdsskiller) will not run and I have not tried renaming it yet.

My plan is to run dr. web live cd since it is known to fix this exploit it I think.

thanks,
gsgi
0
 
gsgiAuthor Commented:
@hanccocka
the machine is set up with chiropractic software that I do not know much about and of course the software support contract was let to lapse so we can not call them without a lot of hassle.  otherwise i would just reinstall.
-gsgi
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I think that might be your best course of action, if it's that important, bite the bullet, swallow your pride, throw in the towel, reformat, re-install, call and pay them!

and Promise that you WILL, Renew the Support Contract. (it's doubtful that anyone on EE, will know anything about the chiropractic software!)
0
 
phototropicCommented:
"... When you guys recommend using tdsskiller please also mention to rename it to [random].com and to run it from the desktop.  i tried to run it but it (tdsskiller) will not run and I have not tried renaming it yet..."

If it won't run, you should try running Rkill or Rogue Killer first to kill the rogue process(es).

Download Rkill:

http://www.bleepingcomputer.com/forums/topic308364.html

Download all seven names/extensions and keep trying them until one works. Or try RogueKiller. Great article here:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html

Kill the rogue process, then run TDSSKiller without rebooting.
0
 
gsgiAuthor Commented:
ok, that is a good idea.  Not sure where I read to rename it a random file name with a .com extension but you are correct, better to kill the rogue process first.  good thing i am so smart to check on ee before doing anything :-)

-gsgi
0
 
rpggamergirlCommented:
So how is it going?

"When you guys recommend using tdsskiller please also mention to rename it to [random].com and"

There are cases when we asked users to rename a filename and or rename extensions.... but in this case:

We know security scanners are not being blocked and we know executables are not being blocked(you're able to run ComboFix, Mbam and Hijackthis) unless of course a new infection got in after running those tools.

I don't think you even need to kill malware processes first because of the reason I've already mentioned above.

IF TDSSKiller is unable to run it is because the rootkit is blocking it, not because of it's filename or extension but because of what it does(which is different than normal scanners).
That's why I asked for a ComboFix log from normal mode because that one you posted is from safe mode and ComboFix is not seeing the patched file. If it's an old copy of CF then that could be why it's not seeing it then a fresh copy would be better.

Since the rootkit seems to be patching volsnap.sys then you need to replace that file with a clean copy... there might be a clean one in the system so you need to run a tool to find it or replace it with a clean one from another PC.

Since you seem to be skeptical in following advice then, why not go ahead with what you think is best, it is after all your decision.
chiropractic software support even if still available, I doubt they will help remove viruses in the system.

If TDSSKiller is unsuccessful, there are other tools to use.... or use DrWebCureIt since you're already planning to use it anyway. With virut DrWebCureIt wasn't that good but hopefully will be good on this one. Just make sure the patched file is replaced and not just deleted.

Good luck!

0
 
gsgiAuthor Commented:
Oh interesting.  I had an old version of combofix that did not run at all.  So I downloaded the latest version.  That is the one I ran in both safe mode and in normal mode.  I've never had combo fix fail to restore a rootkit.  I saw a video of a tech using drweb live cd and he seemed very into it and the screen showed exactly my problem c:\windows\system32\volsnap.sys ...  the reading I did on the net about tdsskiller not running says to rename it and to run it from the desktop.

I gave the client the choice of reinstalling and calling the chiropractic software company for help reinstalling it or continuing to clean.  She wants me to clean it.  She does not want to pay the $800 annual support contract.

thanks,
gsgi
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
and did you tell her you may not be able to clean it! (and it's wasting time, and risky) when it all comes back! Clearly she's happy wasting time and money now! $800 nothing! She'd recoup that in a week!
0
 
gsgiAuthor Commented:
She does not care.  As a matter of fact I told her that running in admin mode which conflicts with the sentinel key software that allow her software to be networked is a security risk and we should put the sentinel key and the chiropractic db on a computer that is not used - like a server - but she does not want to pay for a computer no one in the office is using and she does not want me to call the software company and find out if I can run the sentinel usb software in non admin mode (I tried but it failed) ...  so I am stuck just doing what my client has asked me to do.    If I can not clean it, my plan is actually to leave it, because the chiropractic software runs ok with the infection, until she changes her mind or hires someone else.

thanks,
gsgi
0
 
rpggamergirlCommented:
"That is the one I ran in both safe mode and in normal mode.  I've never had combo fix fail to restore a rootkit."


Sometimes CF doesn't see TDL3/4 either.... so if the user knows what file is patched he/she needs to replace it....my question is, where is the ComboFix log from normal mode? not the one you posted, that's not it.

ComboFix can replace/restore files(using a script) if you have a clean one available.
0
 
gsgiAuthor Commented:
Oh, I have a clean xp install.  I was going to replace volsnap.sys with bart pe or knoppix. Combo fix in normal mode said it saved the log to c:\ but I did not see it on Thursday when I made this post.  I haven't even had her computer hooked up to a monitor / mouse / keyboard here since, I am planning to work on it later tonight or tomorrow.  I am a little concerned that whatever is running on the machine will reinfect it ... usually I look around for rouge processes and kill them with the hijack this delete on boot feature. -- well actually combo fix usually deletes them all for me...

so you think my first step should be to:
a)  boot it up with bad volsnap.sys and run combo fix in normal mode and post the log
b)  use bart pe or knoppix to replace volsnap.sys then run combo fix in normal mode and post the log
c)  some other sequence

thanks,

 -gsgi
0
 
gsgiAuthor Commented:
ok here are the logs:    

these are NOT having replaced volsnap.sys yet.

thanks,
gsgi




log2.txt
hijackthis2
0
 
rpggamergirlCommented:
Thanks for the logs.

ComboFix didn't see any patched files there...
Are you sure volsnap.sys is patched?



Combofix would've detected it..... the below is taken from a ComboFix log 2 months ago.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack  





I'm surprise it didn't detect it, anyhow, for what it's worth, you can also use ComboFix to replace that file using its script function. Or replace it outside of Windows(using BartPE etc) since CF doesn't even detect it.

If using ComboFix, here's the script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------

FCopy::
c:\windows\system32\dllcache\volsnap.sys | c:\windows\system32\drivers\volsnap.sys


 ------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 
gsgiAuthor Commented:
Ran kaspersky cd and it found and claims to have repaired on driver.  CureIT only found one thing in a system restore folder.

tdsskiller now runs and finds nothing.

volsnap.sys was manually replaced.

combo fix log now :

ComboFix 11-04-20.04 - default 04/23/2011   3:00.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1911.1486 [GMT -4:00]
Running from: C:\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-23 to 2011-04-23  )))))))))))))))))))))))))))))))
.
.
2011-04-23 04:35 . 2008-04-13 14:41      52352      ----a-w-      c:\windows\system32\drivers\volsnap.sys
2011-04-23 02:01 . 2008-04-14 04:09      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-04-23 02:01 . 2008-04-14 04:09      14592      ----a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-04-23 00:39 . 2011-04-23 01:29      --------      d---a-w-      C:\Kaspersky Rescue Disk 10.0
2011-04-21 21:18 . 2001-08-17 16:13      19016      ----a-w-      c:\windows\system32\dllcache\w926nd.sys
2011-04-21 21:17 . 2001-08-18 02:36      211968      ----a-w-      c:\windows\system32\dllcache\um54scan.dll
2011-04-21 21:16 . 2001-08-17 18:56      172768      ----a-w-      c:\windows\system32\dllcache\t2r4disp.dll
2011-04-21 21:15 . 2001-08-17 16:12      25034      ----a-w-      c:\windows\system32\dllcache\smcpwr2n.sys
2011-04-21 21:14 . 2001-08-17 17:53      6912      ----a-w-      c:\windows\system32\dllcache\seaddsmc.sys
2011-04-21 21:13 . 2008-04-14 14:00      14848      ----a-w-      c:\windows\system32\dllcache\register.exe
2011-04-21 21:12 . 2001-08-17 18:07      5504      ----a-w-      c:\windows\system32\dllcache\perc2hib.sys
2011-04-21 21:11 . 2001-08-17 16:20      87040      ----a-w-      c:\windows\system32\dllcache\nm6wdm.sys
2011-04-21 21:10 . 2001-08-17 17:52      17280      ----a-w-      c:\windows\system32\dllcache\mraid35x.sys
2011-04-21 21:09 . 2008-04-14 14:00      6144      ----a-w-      c:\windows\system32\dllcache\kbdax2.dll
2011-04-21 21:08 . 2001-08-17 17:28      488383      ----a-w-      c:\windows\system32\dllcache\hsf_v124.sys
2011-04-21 21:07 . 2001-08-17 16:15      454912      ----a-w-      c:\windows\system32\dllcache\fxusbase.sys
2011-04-21 21:06 . 2001-08-17 16:11      69194      ----a-w-      c:\windows\system32\dllcache\el656cd5.sys
2011-04-21 21:05 . 2001-08-18 02:36      44032      ----a-w-      c:\windows\system32\dllcache\cnusd.dll
2011-04-21 21:04 . 2008-04-14 02:06      84480      ----a-w-      c:\windows\system32\dllcache\ac97via.sys
2011-04-21 21:03 . 2004-05-13 04:39      184435      ----a-w-      c:\windows\system32\dllcache\fp4amsft.dll
2011-04-21 15:43 . 2011-04-23 02:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\Avira
2011-04-21 14:00 . 2011-04-21 14:00      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\default\Application Data\Malwarebytes
2011-04-21 13:47 . 2010-04-29 19:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for Weatherbug
2011-04-20 20:51 . 2011-04-21 14:30      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      18944      ----a-r-      c:\documents and settings\default\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\AWS
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for ShopToWin
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\FCSB000063127
2011-04-20 20:51 . 2011-04-20 20:50      723294      ----a-w-      c:\windows\unins000.exe
2011-04-20 20:50 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Quick Web Player
2011-04-20 20:27 . 2011-04-20 20:27      --------      d-----w-      c:\windows\system32\wbem\Repository
2011-04-04 13:06 . 2011-04-04 13:06      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\Identities
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-23 01:00 . 2008-04-14 08:00      52352      ----a-w-      c:\windows\system32\drivers\volxxxx.xxx
2011-03-07 05:33 . 2008-04-14 08:00      692736      ----a-w-      c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 08:00      420864      ----a-w-      c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 08:00      1857920      ----a-w-      c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 08:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 08:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 08:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 08:00      385024      ---ha-w-      c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 08:00      455936      ----a-w-      c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 08:00      357888      ----a-w-      c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-11-02 16:20      5120      ----a-w-      c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 08:00      290432      ----a-w-      c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 08:00      270848      ----a-w-      c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 08:00      186880      ----a-w-      c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 08:00      978944      ----a-w-      c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-14 08:00      974848      ----a-w-      c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-04-14 08:00      2067456      ----a-w-      c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-14 08:00      677888      ----a-w-      c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-04-23_03.00.39   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-23 06:56 . 2011-04-23 06:56      16384              c:\windows\temp\Perflib_Perfdata_660.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-19 2363392]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-10-27 1861944]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2010-10-28 180224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-01 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-01 144920]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-10-23 563736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MPNNET2"="c:\mpn\ECLIPSENet32.exe" [2007-08-15 409600]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2010-10-20 3514368]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2010-11-3 292296]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-05-19 00:56      2363392      ----a-w-      c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\HP.SkyRoom.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics receiver\\rgreceiver.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender_gui.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [3/3/2010 3:52 PM 124472]
R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [11/3/2010 4:32 PM 143360]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/24/2010 9:29 PM 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [7/24/2010 9:38 PM 379904]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 1:00 AM 316992]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [7/24/2010 9:39 PM 2320920]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [7/24/2010 9:29 PM 167080]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [7/24/2010 9:29 PM 215040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/24/2010 9:29 PM 1684736]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [11/10/2010 12:43 PM 20600]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/21/2011 10:39 AM 16968]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/13/2009 1:13 PM 1120752]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMD25
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-19 00:54      451872      ----a-w-      c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {681B10C1-4FBF-4255-A2A9-F8876509CA2D} = 4.2.2.2,4.2.2.5
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\ypyw08hv.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Shop to Win: {ebcfd043-312f-448d-96f4-25ba0f1ea646} - %profile%\extensions\{ebcfd043-312f-448d-96f4-25ba0f1ea646}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HitmanPro35 - e:\antispyvirmal\HitmanPro35.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 03:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(360)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-23  03:04:02
ComboFix-quarantined-files.txt  2011-04-23 07:04
ComboFix2.txt  2011-04-23 03:01
ComboFix3.txt  2011-04-21 15:29
.
Pre-Run: 131,867,045,888 bytes free
Post-Run: 131,854,569,472 bytes free
.
- - End Of File - - 195E5455422E9E6BB0D0EE66D8D692B6
0
 
gsgiAuthor Commented:
I ran the rogue killers, rkill and rougekiller and they see nothing.

I ran combofix again anyway, here is the log ::

(I have not hooked it up to the internet to see if it is still redirecting...)

ComboFix 11-04-20.04 - default 04/23/2011   3:08.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1911.1432 [GMT -4:00]
Running from: C:\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-23 to 2011-04-23  )))))))))))))))))))))))))))))))
.
.
2011-04-23 04:35 . 2008-04-13 14:41      52352      ----a-w-      c:\windows\system32\drivers\volsnap.sys
2011-04-23 02:01 . 2008-04-14 04:09      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-04-23 02:01 . 2008-04-14 04:09      14592      ----a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-04-23 00:39 . 2011-04-23 01:29      --------      d---a-w-      C:\Kaspersky Rescue Disk 10.0
2011-04-21 21:18 . 2001-08-17 16:13      19016      ----a-w-      c:\windows\system32\dllcache\w926nd.sys
2011-04-21 21:17 . 2001-08-18 02:36      211968      ----a-w-      c:\windows\system32\dllcache\um54scan.dll
2011-04-21 21:16 . 2001-08-17 18:56      172768      ----a-w-      c:\windows\system32\dllcache\t2r4disp.dll
2011-04-21 21:15 . 2001-08-17 16:12      25034      ----a-w-      c:\windows\system32\dllcache\smcpwr2n.sys
2011-04-21 21:14 . 2001-08-17 17:53      6912      ----a-w-      c:\windows\system32\dllcache\seaddsmc.sys
2011-04-21 21:13 . 2008-04-14 14:00      14848      ----a-w-      c:\windows\system32\dllcache\register.exe
2011-04-21 21:12 . 2001-08-17 18:07      5504      ----a-w-      c:\windows\system32\dllcache\perc2hib.sys
2011-04-21 21:11 . 2001-08-17 16:20      87040      ----a-w-      c:\windows\system32\dllcache\nm6wdm.sys
2011-04-21 21:10 . 2001-08-17 17:52      17280      ----a-w-      c:\windows\system32\dllcache\mraid35x.sys
2011-04-21 21:09 . 2008-04-14 14:00      6144      ----a-w-      c:\windows\system32\dllcache\kbdax2.dll
2011-04-21 21:08 . 2001-08-17 17:28      488383      ----a-w-      c:\windows\system32\dllcache\hsf_v124.sys
2011-04-21 21:07 . 2001-08-17 16:15      454912      ----a-w-      c:\windows\system32\dllcache\fxusbase.sys
2011-04-21 21:06 . 2001-08-17 16:11      69194      ----a-w-      c:\windows\system32\dllcache\el656cd5.sys
2011-04-21 21:05 . 2001-08-18 02:36      44032      ----a-w-      c:\windows\system32\dllcache\cnusd.dll
2011-04-21 21:04 . 2008-04-14 02:06      84480      ----a-w-      c:\windows\system32\dllcache\ac97via.sys
2011-04-21 21:03 . 2004-05-13 04:39      184435      ----a-w-      c:\windows\system32\dllcache\fp4amsft.dll
2011-04-21 15:43 . 2011-04-23 02:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\Avira
2011-04-21 14:00 . 2011-04-21 14:00      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\default\Application Data\Malwarebytes
2011-04-21 13:47 . 2010-04-29 19:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2011-04-21 13:47 . 2011-04-21 13:47      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for Weatherbug
2011-04-20 20:51 . 2011-04-21 14:30      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      18944      ----a-r-      c:\documents and settings\default\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\AWS
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\WeatherBug
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Setup Support for ShopToWin
2011-04-20 20:51 . 2011-04-20 20:51      --------      d-----w-      c:\documents and settings\default\Application Data\FCSB000063127
2011-04-20 20:51 . 2011-04-20 20:50      723294      ----a-w-      c:\windows\unins000.exe
2011-04-20 20:50 . 2011-04-20 20:51      --------      d-----w-      c:\program files\Quick Web Player
2011-04-20 20:27 . 2011-04-20 20:27      --------      d-----w-      c:\windows\system32\wbem\Repository
2011-04-04 13:06 . 2011-04-04 13:06      --------      d-----w-      c:\documents and settings\default\Local Settings\Application Data\Identities
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-23 01:00 . 2008-04-14 08:00      52352      ----a-w-      c:\windows\system32\drivers\volxxxx.xxx
2011-03-07 05:33 . 2008-04-14 08:00      692736      ----a-w-      c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 08:00      420864      ----a-w-      c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 08:00      1857920      ----a-w-      c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 08:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 08:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-14 08:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-14 08:00      385024      ---ha-w-      c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 08:00      455936      ----a-w-      c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 08:00      357888      ----a-w-      c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-11-02 16:20      5120      ----a-w-      c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 08:00      290432      ----a-w-      c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 08:00      270848      ----a-w-      c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 08:00      186880      ----a-w-      c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 08:00      978944      ----a-w-      c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-14 08:00      974848      ----a-w-      c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-04-14 08:00      2067456      ----a-w-      c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-14 08:00      677888      ----a-w-      c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-04-23_03.00.39   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-23 06:56 . 2011-04-23 06:56      16384              c:\windows\temp\Perflib_Perfdata_660.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-19 2363392]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2010-10-27 1861944]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2010-10-28 180224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-01 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-01 144920]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-10-23 563736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MPNNET2"="c:\mpn\ECLIPSENet32.exe" [2007-08-15 409600]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2010-10-20 3514368]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2010-11-3 292296]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-05-19 00:56      2363392      ----a-w-      c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\HP.SkyRoom.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics receiver\\rgreceiver.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP SkyRoom\\remote graphics sender\\rgsender_gui.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [3/3/2010 3:52 PM 124472]
R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [11/3/2010 4:32 PM 143360]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/24/2010 9:29 PM 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 rgsender;Remote Graphics Sender Service;c:\program files\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [7/24/2010 9:38 PM 379904]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 1:00 AM 316992]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [7/24/2010 9:39 PM 2320920]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [7/24/2010 9:29 PM 167080]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [7/24/2010 9:29 PM 215040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/24/2010 9:29 PM 1684736]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [11/10/2010 12:43 PM 20600]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/21/2011 10:39 AM 16968]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [6/13/2009 1:13 PM 1120752]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMD25
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-19 00:54      451872      ----a-w-      c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {681B10C1-4FBF-4255-A2A9-F8876509CA2D} = 4.2.2.2,4.2.2.5
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\ypyw08hv.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Shop to Win: {ebcfd043-312f-448d-96f4-25ba0f1ea646} - %profile%\extensions\{ebcfd043-312f-448d-96f4-25ba0f1ea646}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 03:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-23  03:09:46
ComboFix-quarantined-files.txt  2011-04-23 07:09
ComboFix2.txt  2011-04-23 07:04
ComboFix3.txt  2011-04-23 03:01
ComboFix4.txt  2011-04-21 15:29
.
Pre-Run: 131,861,991,424 bytes free
Post-Run: 131,849,216,000 bytes free
.
- - End Of File - - F0C399B5854B42F514E5739C39474B20
0
 
gsgiAuthor Commented:
I think the kaspersky disk solved this but I am unsure.  I ran combofix a lot, it may have helped too.  I replaced volsnap.sys manually, that may have helped.  I downloaded [Reference to a well-known Boot CD Removed] and ran a bunch of those tools they may have helped, tdss is on that cd, so is combo fix and gwer.  At any rate, the google redirects have stopped for now, we'll see if they come back.  thanks  gsgi
0
 
gsgiAuthor Commented:
@hanccocka  You are right I think.  The system is probably still somewhat broken and needs to be reinstalled but the client does not want to do that.  Your opinion is still much appreciated.  -gsgi
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 11
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now