BleepingComputer.com: Infected with Google redirect virus

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

Infected with Google redirect virus Unable to run TDSSKiller BSOD

#1 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 31 July 2011 - 11:37 AM

Thank You for help. Two disk system one Std disk, one a Raid0 disk array, both infected. Starting with logs from the the Std disk first. Tried several online help solutions. I have not gotten around the BSOD ntoskrnl.exe exit message when running TDSSKiller. I may not be appyling the solutions in the correct order or not following the instructions properly.
Backed up disk ready to go.


.
DDS (Ver_2011-06-23.01) - FAT32x86
Internet Explorer: 6.0.2800.1106
Run by Administrator at 10:35:59 on 2011-07-31
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1145 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\WINNT\system32\bgsvcgen.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\IoctlSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\MegaRAID Storage Manager\Framework\VivaldiFramework.exe
C:\Program Files\MegaRAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\MegaRAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\WINNT\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\UMonit2k.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINNT\system32\VNICMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MegaRAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Synchronization Manager] "mobsync.exe" /logon
mRun: [nwiz] "nwiz.exe" /install
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [Joystick 2 Mouse] "c:\program files\joystick 2 mouse 3\Joystick 2 Mouse.exe" /NoConfigure
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Gene USB Monitor] c:\winnt\system32\UMonit2k.exe
mRun: [SiteAdvisor] "c:\program files\siteadvisor\6261\SiteAdv.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] "c:\program files\asus\ai suite\CpuLevelUpHelp.exe"
mRun: [McENUI] "c:\progra~1\mcafee\mhn\McENUI.exe" /hide
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [NIC Monitor] VNICMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Popup] "c:\program files\megaraid storage manager\megapopup\Popup.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{3BC38F2A-AE7E-44B6-9B9F-4E4C11CE54DF} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{5BE9F13F-2890-4AFD-8B1F-634972A3B468} : DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{7369500E-9F18-4D0D-A201-4E8A827D8D61} : DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{B3F953B8-7302-4D0A-97D8-D742FD7AC7AD} : DhcpNameServer = 192.168.0.1
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tozlwhf0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\winnt\system32\drivers\aacsas.sys [2008-4-3 83839]
R0 hotcore2;hotcore2;c:\winnt\system32\drivers\hotcore2.sys [2008-8-5 30808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-9-4 64160]
R0 megasas;megasas;c:\winnt\system32\drivers\megasas.sys [2010-2-23 19968]
R0 Pnp680;SiI 680 ATA Controller;c:\winnt\system32\drivers\pnp680.sys [2009-4-20 37031]
R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2006-12-21 214664]
R1 NmPar;MosChip PCI Parallel Port;c:\winnt\system32\drivers\NmPar.sys [2006-10-11 76416]
R1 nmserial;MosChip PCI Serial Port;c:\winnt\system32\drivers\NmSerial.sys [2006-10-12 60032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 67656]
R2 DriverX;DriverX;c:\winnt\system32\drivers\Driverx.sys [2001-6-11 52512]
R2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [2008-7-30 5152]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-2-5 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-2-5 712048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-20 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-22 144704]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\winnt\system32\drivers\Scutum50.sys [2011-4-18 19072]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-7 24652]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-4-15 3572592]
R3 AmbFilt;AmbFilt;c:\winnt\system32\drivers\Ambfilt.sys [2009-4-21 1683712]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\winnt\system32\drivers\DLKRTS.SYS [2009-4-21 25434]
R3 FIXUSTOR;FIXUSTOR;c:\winnt\system32\drivers\fixustor.sys [2007-11-30 12672]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2006-12-21 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2006-12-21 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2006-12-21 40552]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2009-4-20 49776]
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [2008-12-9 296320]
S1 CypressUsbDev;Cypress USB Devices;c:\winnt\system32\drivers\CyUsbGen.sys [2006-2-16 14356]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-23 135664]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2011-4-18 185632]
S3 Asushwio;Asushwio;\??\d:\bin\asushwio.sys --> d:\bin\Asushwio.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2006-12-21 34248]
S3 PhilCam8116_2K;Logitech QuickCam Pro 3000(PID_08B1);c:\winnt\system32\drivers\CamDrL20.sys [2005-3-21 236121]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\winnt\system32\drivers\rt2870.sys [2011-4-18 917760]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]
S3 USA19H;USA19H;c:\winnt\system32\drivers\USA19H2k.sys [2008-9-18 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\winnt\system32\drivers\USA19H2kp.sys [2008-9-18 24192]
S3 UStor;Lexar RW018;c:\winnt\system32\drivers\UStor.sys [2006-11-26 25246]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\winnt\system32\drivers\ustor2k.sys [2006-12-24 21248]
S3 VNICPKT5;VNICPKT5 Protocol Driver;c:\winnt\system32\VNICPKT5.sys [2009-4-28 16066]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\winnt\system32\drivers\xusbdfwu.sys [2009-4-21 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader;c:\winnt\system32\drivers\xusb_xp2.sys [2009-4-21 17920]
S4 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2005-3-23 9038]
S4 viasraid;viasraid;c:\winnt\system32\drivers\viasraid.sys [2004-11-5 78988]
.
=============== Created Last 30 ================
.
2011-07-30 16:40:54 -------- d-----w- C:\FOUND.015
2011-07-29 20:24:49 98816 ----a-w- c:\winnt\sed.exe
2011-07-29 20:24:49 518144 ----a-w- c:\winnt\SWREG.exe
2011-07-29 20:24:49 256000 ----a-w- c:\winnt\PEV.exe
2011-07-29 20:24:49 208896 ----a-w- c:\winnt\MBR.exe
2011-07-29 17:23:10 1407280 ----a-w- C:\TADA.com
2011-07-29 00:15:42 -------- d-----w- C:\FOUND.014
2011-07-01 20:33:41 21872 ----a-w- c:\winnt\system32\drivers\usbprint.sys
2011-07-01 20:33:41 21872 ----a-w- c:\winnt\system32\dllcache\usbprint.sys
2011-07-01 19:59:10 -------- d-----w- c:\winnt\system32\appmgmt
.
==================== Find3M ====================
.
2011-07-31 15:28:40 256 ----a-w- c:\winnt\system32\pool.bin
2011-05-29 14:11:30 39984 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:18 21048 ----a-w- c:\winnt\system32\drivers\mbam.sys
2003-05-08 21:22:06 36963 ----a-w- c:\program files\common files\CYDrvIns.dll
2006-05-03 10:06:54 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\winnt\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\winnt\system32\nbDX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.0.2195
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 nt!IofCallDriver[0x8041EECC] -> \Device\Harddisk0\DR0[0x88F93730]
3 CLASSPNP[0xF6470C60] -> nt!IofCallDriver[0x8041EECC] -> \Device\0000002e[0x88FE47D0]
5 ACPI[0xBFFDE46B] -> nt!IofCallDriver[0x8041EECC] -> \Device\Ide\IdeDeviceP3T0L0-10[0x88FE3030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
user != kernel MBR !!!
.
============= FINISH: 10:36:40.79 ===============

Attached File(s)

  • Attached File  ark.txt (108.01K)
    Number of downloads: 2
  • Attached File  attach.txt (12.35K)
    Number of downloads: 0

#2 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 07 August 2011 - 10:52 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

    In your next post I need the following

    • .logs from DDS
    • log from RKUnHooker
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 08 August 2011 - 01:38 PM

Hello thank you for your Reply. My system problem, that prompted me to submit for help, was the google redirect virus. When I click on a google entry the page goes to the last item on the list on that page. I had tried some things several weeks ago. I tried somethings like running TDSSkiller and that BSODed so I realized I had a much bigger problem. I have posted the recent DDS log. Rkunhooker will not run the error message is "the procedure InterlockedFlushSlist could not be located in the Dll Kernel32.dll" Before submitting a topic I had run Gmer and I saw something called Volsnap.sys problem. Thank you.

Attached File(s)

  • Attached File  Attach.txt (12.35K)
    Number of downloads: 0
  • Attached File  DDS.txt (16.87K)
    Number of downloads: 1

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 August 2011 - 07:48 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 08 August 2011 - 11:45 PM

I saw the message when I ran ComboFix "system file infected !! Attempting to restore ....Volsnap.sys"

Still redirecting. Here is the log.

ComboFix 11-08-08.03 - Administrator 08/08/2011 23:13:52.4.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1448 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix3.exe
.
/wow section - STAGE 10
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 04:00 . 2011-08-09 04:00 -------- d-s---w- c:\winnt\Cookies
2011-08-04 04:14 . 2011-08-04 04:14 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys
2011-08-04 04:14 . 2011-08-04 04:14 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-08-04 04:08 . 2011-08-04 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-30 16:40 . 2011-07-30 16:40 -------- d-----w- C:\FOUND.015
2011-07-29 17:23 . 2011-05-13 18:21 1407280 ----a-w- C:\TADA.com
2011-07-29 00:15 . 2011-07-29 00:15 -------- d-----w- C:\FOUND.014
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 14:11 . 2009-08-29 01:51 39984 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2009-08-29 01:51 21048 ----a-w- c:\winnt\system32\drivers\mbam.sys
2003-05-08 21:22 . 2006-02-17 04:13 36963 ----a-w- c:\program files\Common Files\CYDrvIns.dll
2011-03-18 17:53 . 2011-04-18 20:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\winnt\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\winnt\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2005-09-23 10:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [ERROR: 0x0] . . c:\winnt\system32\linkinfo.dll
[-] 2005-09-23 10:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [ERROR: 0x0] . . c:\winnt\system32\dllcache\linkinfo.dll
[7] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [ERROR: 0x0] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll
.
[-] 2005-01-12 18:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [ERROR: 0x0] . . c:\winnt\system32\scecli.dll
[-] 2005-01-12 18:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [ERROR: 0x0] . . c:\winnt\system32\dllcache\scecli.dll
[7] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [ERROR: 0x0] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll
.
[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll
.
[-] 2004-07-09 09:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-30 2424192]
"Steam"="c:\program files\Steam\Steam.exe" [2011-04-18 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-07-14 111376]
"nwiz"="nwiz.exe" [2007-10-28 1626112]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-28 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 155648]
"Gene USB Monitor"="c:\winnt\system32\UMonit2k.exe" [2003-12-16 49152]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2006-07-24 35992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-05 626176]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2007-10-28 8531968]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2007-10-28 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]
"NIC Monitor"="VNICMon.exe" [2005-01-10 40960]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Popup"="c:\program files\MegaRAID Storage Manager\MegaPopup\Popup.exe" [2007-12-18 81096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-05 5367664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-07-14 186640]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-7-18 299008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-26 51984]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-26 111376]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-1 113664]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-6-22 106496]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-6-22 151552]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2011-4-18 1643808]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\winnt\system32\drivers\aacsas.sys [4/3/2008 12:12 PM 83839]
R0 hotcore2;hotcore2;c:\winnt\system32\drivers\hotcore2.sys [8/5/2008 6:42 PM 30808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [9/4/2009 9:09 AM 64160]
R0 megasas;megasas;c:\winnt\system32\drivers\megasas.sys [2/23/2010 4:19 PM 19968]
R0 Pnp680;SiI 680 ATA Controller;c:\winnt\system32\drivers\pnp680.sys [4/20/2009 9:59 PM 37031]
R1 NmPar;MosChip PCI Parallel Port;c:\winnt\system32\drivers\NmPar.sys [10/11/2006 11:12 AM 76416]
R1 nmserial;MosChip PCI Serial Port;c:\winnt\system32\drivers\NmSerial.sys [10/12/2006 8:23 PM 60032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 11:42 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 67656]
R2 DriverX;DriverX;c:\winnt\system32\drivers\Driverx.sys [6/11/2001 10:01 PM 52512]
R2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [7/30/2008 12:23 PM 5152]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/5/2010 10:06 PM 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/5/2010 10:06 PM 712048]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\winnt\system32\drivers\Scutum50.sys [4/18/2011 9:41 AM 19072]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2009 4:26 PM 24652]
R3 AmbFilt;AmbFilt;c:\winnt\system32\drivers\Ambfilt.sys [4/21/2009 6:36 AM 1683712]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\winnt\system32\drivers\DLKRTS.SYS [4/21/2009 12:54 AM 25434]
R3 FIXUSTOR;FIXUSTOR;c:\winnt\system32\drivers\fixustor.sys [11/30/2007 8:50 PM 12672]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [4/20/2009 11:38 PM 49776]
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [12/9/2008 4:06 AM 296320]
S1 CypressUsbDev;Cypress USB Devices;c:\winnt\system32\drivers\CyUsbGen.sys [2/16/2006 11:10 PM 14356]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/23/2009 2:48 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 Asushwio;Asushwio;\??\d:\bin\Asushwio.sys --> d:\bin\Asushwio.sys [?]
S3 PhilCam8116_2K;Logitech QuickCam Pro 3000(PID_08B1);c:\winnt\system32\drivers\CamDrL20.sys [3/21/2005 1:44 PM 236121]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 12872]
S3 USA19H;USA19H;c:\winnt\system32\drivers\USA19H2k.sys [9/18/2008 9:26 PM 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\winnt\system32\drivers\USA19H2kp.sys [9/18/2008 9:26 PM 24192]
S3 UStor;Lexar RW018;c:\winnt\system32\drivers\UStor.sys [11/26/2006 12:32 PM 25246]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\winnt\system32\drivers\ustor2k.sys [12/24/2006 10:17 PM 21248]
S3 VNICPKT5;VNICPKT5 Protocol Driver;c:\winnt\system32\VNICPKT5.sys [4/28/2009 4:24 PM 16066]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\winnt\system32\drivers\xusbdfwu.sys [4/21/2009 3:33 AM 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader;c:\winnt\system32\drivers\xusb_xp2.sys [4/21/2009 3:33 AM 17920]
S4 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [3/23/2005 4:52 AM 9038]
S4 viasraid;viasraid;c:\winnt\system32\drivers\viasraid.sys [11/5/2004 2:52 PM 78988]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2010-01-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
2009-10-27 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2010-08-25 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2010-08-30 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:13]
.
2009-10-27 c:\winnt\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2011-08-09 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 19:48]
.
2011-08-08 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 19:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tozlwhf0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 23:19
Windows 5.0.2195 Service Pack 4 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.0.2195
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\WRLogonNTF.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
- - - - - - - > 'explorer.exe'(3660)
c:\program files\SiteAdvisor\6261\saHook.dll
c:\winnt\system32\nview.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\winnt\system32\SHDOCVW.DLL
c:\program files\Joystick 2 Mouse 3\Hook.dll
c:\winnt\system32\nvwddi.dll
.
Completion time: 2011-08-08 23:20:36
ComboFix-quarantined-files.txt 2011-08-09 04:20
ComboFix2.txt 2011-08-09 03:59
ComboFix3.txt 2011-07-30 15:23
ComboFix4.txt 2011-07-29 20:31
.
Pre-Run: 68,850,941,952 bytes free
Post-Run: 68,828,479,488 bytes free
.
- - End Of File - - 09AB2EE406DAA16B945CB7C299D7EB50

Attached File(s)

  • Attached File  log.txt (17.12K)
    Number of downloads: 2

This post has been edited by gringo_pr: 09 August 2011 - 07:54 AM

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 09 August 2011 - 07:55 AM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 09 August 2011 - 09:09 AM

I ran TDSSkiller fro the desktop and I get BSOD file ntoskrnl.exe. Once rebooted I don't see a report in c:\

Thank You.

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 09 August 2011 - 09:32 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 09 August 2011 - 09:55 AM

After running FixTDSS I get this message: No Infections found, Tool failure, Error 0x2.
Rerun for TDSSKiller, Same BSOD.

Thank you Gringo.

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 09 August 2011 - 11:13 AM

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 09 August 2011 - 12:02 PM

new log. I said no to downloading the latest Avast virus scan. Thank you.

Attached File(s)


#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 09 August 2011 - 12:07 PM

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.

  • Save the log as before and post in your next reply.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 09 August 2011 - 12:21 PM

tried the fixmbr looks like error. log attached

Attached File(s)


#14 User is offline   DenaliAK 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 31-July 11

Posted 12 August 2011 - 08:13 AM

Hi Gringo, I haven't heard from you in 48Hr are we at an impass?

#15 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 August 2011 - 08:23 AM

I want you to rerun combofix for me again and if it asks to update then let it..


I will be away for a couple of hours so don't worry if I don't respond right away



Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users