Google search redirects (Rootkit?)

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Google search redirects (Rootkit?) Need help!

#1 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 17 December 2011 - 05:56 PM

I have a problem that a lot of people are having too.

Recently I was infected with XP Security 2012. I followed some instructions found online and I think I got rid of it?

But when I google things sometimes I get redirected to random sites.
Also sometimes random tabs pop up to random sites.
It happens in all my browsers (internet explorer, firefox, google chrome)

I have Malwarebytes running and lots of times it says that it "successfully blocked access to a potentially malicious website" then a IP address follows (there have been a couple different ones
- This happens pretty frequently even when I'm not google searching anything.
* When I have Malwarebytes actively running (and it blocks the access to the website) I don't seem to get the redirects anymore.

After I ran the GMER log it said something about "rootkit activity" on my computer...

So yes there is something clearly still on my computer.

Please help!

This post has been edited by cloudydays: 17 December 2011 - 07:53 PM

#2 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 17 December 2011 - 05:57 PM

- DDS LOG*

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Melody at 16:39:01 on 2011-12-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.133 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\melody\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\melody\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
TCP: Interfaces\{68CD4A9C-5D9C-49E2-AF7E-27A895E479A4} : DhcpNameServer = 64.233.217.5 64.233.217.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = :\windows\syste
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\melody\application data\mozilla\firefox\profiles\12sktl3q.default\
FF - plugin: c:\documents and settings\melody\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl04a8f7e7;MpKsl04a8f7e7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eddccbab-03a9-4aa3-868c-98320e3ab94c}\MpKsl04a8f7e7.sys [2011-12-17 29904]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-17 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-17 22216]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-12-17 21:26:56 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 21:26:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-17 21:10:50 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eddccbab-03a9-4aa3-868c-98320e3ab94c}\MpKsl04a8f7e7.sys
2011-12-17 21:10:48 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eddccbab-03a9-4aa3-868c-98320e3ab94c}\offreg.dll
2011-12-17 18:01:04 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eddccbab-03a9-4aa3-868c-98320e3ab94c}\mpengine.dll
2011-12-15 00:49:35 -------- d-----w- c:\documents and settings\melody\local settings\application data\Google
2011-12-14 22:31:49 -------- d-----w- c:\documents and settings\melody\application data\Malwarebytes
2011-12-14 22:23:21 -------- d-----w- c:\windows\pss
2011-12-14 22:02:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-14 02:25:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-14 02:25:59 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 16:39:47.71 ===============

----------------------------

GMER LOG*

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-17 17:45:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2500JS-60NCB1 rev.10.02E02
Running: gmer.exe; Driver: C:\DOCUME~1\Melody\LOCALS~1\Temp\kwecqaod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6F0E360, 0x20574D, 0xE8000020]
? C:\DOCUME~1\Melody\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02C2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02C3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[988] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02C1000C
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0172000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0173000A
.text C:\WINDOWS\System32\svchost.exe[1132] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0171000C
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1304] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2924] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AC350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2924] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AC2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2924] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2924] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Melody\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\WINDOWS\System32\ping.exe[3828] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B4000A
.text C:\WINDOWS\System32\ping.exe[3828] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B5000A
.text C:\WINDOWS\System32\ping.exe[3828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\ping.exe[3828] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\ping.exe[3828] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\ping.exe[3828] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\ping.exe[3828] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\ping.exe[3828] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[3828] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00B7000A

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F6EBC000-F6ED6000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB35182$\3341945065 0 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540 0 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\bckfg.tmp 852 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\cfg.ini 201 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\keywords 240 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\L 0 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\L\xaykhsay 57600 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U 0 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB35182$\587901540\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

Attached File(s)

attach.txt (23.46K)
Number of downloads: 1

This post has been edited by cloudydays: 17 December 2011 - 05:59 PM

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 18 December 2011 - 06:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#4 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 19 December 2011 - 04:10 PM

Ran combofix successfully. Said it found Zeroaccess rootkit in the tcp/ip stack.

Things seem to be running well. I don't get the ip address notice from malwarebytes anymore.
I don't see redirects in google searches...

The Log:

ComboFix 11-12-19.01 - Melody 12/19/2011 15:40:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.628 [GMT -5:00]
Running from: c:\documents and settings\Melody\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB35182$\3341945065
c:\windows\$NtUninstallKB35182$\587901540\@
c:\windows\$NtUninstallKB35182$\587901540\bckfg.tmp
c:\windows\$NtUninstallKB35182$\587901540\cfg.ini
c:\windows\$NtUninstallKB35182$\587901540\Desktop.ini
c:\windows\$NtUninstallKB35182$\587901540\keywords
c:\windows\$NtUninstallKB35182$\587901540\kwrd.dll
c:\windows\$NtUninstallKB35182$\587901540\L\xaykhsay
c:\windows\$NtUninstallKB35182$\587901540\lsflt7.ver
c:\windows\$NtUninstallKB35182$\587901540\U\00000001.@
c:\windows\$NtUninstallKB35182$\587901540\U\00000002.@
c:\windows\$NtUninstallKB35182$\587901540\U\00000004.@
c:\windows\$NtUninstallKB35182$\587901540\U\80000000.@
c:\windows\$NtUninstallKB35182$\587901540\U\80000004.@
c:\windows\$NtUninstallKB35182$\587901540\U\80000032.@
c:\windows\system32\AutoRun.inf
c:\windows\$NtUninstallKB35182$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))
.
.
2011-12-19 20:53 . 2011-12-19 20:53 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{57F0C585-3ECF-4786-B237-DAA6F4AC7678}\offreg.dll
2011-12-19 20:23 . 2011-11-21 07:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{57F0C585-3ECF-4786-B237-DAA6F4AC7678}\mpengine.dll
2011-12-18 21:03 . 2011-12-18 21:03 -------- d-----w- c:\program files\Common Files\Java
2011-12-18 21:02 . 2011-11-10 10:54 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-17 21:26 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 21:26 . 2011-12-17 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:49 . 2011-12-17 17:51 -------- d-----w- c:\documents and settings\Melody\Local Settings\Application Data\Google
2011-12-14 22:31 . 2011-12-14 22:31 -------- d-----w- c:\documents and settings\Melody\Application Data\Malwarebytes
2011-12-14 22:02 . 2011-12-14 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-14 21:43 . 2011-12-14 21:43 -------- d-----w- c:\documents and settings\Administrator
2011-12-14 02:25 . 2011-12-14 02:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-14 02:05 . 2011-12-14 02:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2011-06-15 19:45 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 07:47 . 2011-06-16 00:02 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-10 10:54 . 2011-06-16 00:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-06-16 00:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2004-08-04 04:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-04 04:56 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 04:56 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2011-06-15 19:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2011-06-15 19:45 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2011-06-15 19:45 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-06-15 17:30 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 04:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-10 22:27 . 2011-06-16 00:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"nwiz"="nwiz.exe" [2006-05-10 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Melody\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/17/2011 4:27 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/17/2011 4:26 PM 22216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1220945662-1801674531-1003Core.job
- c:\documents and settings\Melody\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-17 17:49]
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1220945662-1801674531-1003UA.job
- c:\documents and settings\Melody\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-17 17:49]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
FF - ProfilePath - c:\documents and settings\Melody\Application Data\Mozilla\Firefox\Profiles\12sktl3q.default\
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-19 15:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-12-19 15:57:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-19 20:57
.
Pre-Run: 101,154,197,504 bytes free
Post-Run: 103,195,164,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5A13FA80F80EE5B80CB444C3116F06AD

This post has been edited by cloudydays: 19 December 2011 - 04:11 PM

#5 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 December 2011 - 09:36 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#6 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 20 December 2011 - 11:17 AM

Ran combofix with no problem. Asked me to update it and I did.

Things seem to be the same. It's running well.

Edit: I actually did it get 2 notices from Malwarebytes about trying to access a malicious website & IP address that follows. I'm not sure if it is that important or not because before it was doing it constantly.

The log:

ComboFix 11-12-20.04 - Melody 12/20/2011 11:06:42.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.515 [GMT -5:00]
Running from: c:\documents and settings\Melody\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melody\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 15:56 . 2011-12-20 15:56 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D18EAD47-56EB-449E-ABCE-96B2E92F55E6}\MpKsl645a122b.sys
2011-12-20 15:56 . 2011-12-20 15:56 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D18EAD47-56EB-449E-ABCE-96B2E92F55E6}\offreg.dll
2011-12-19 20:59 . 2011-11-21 07:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D18EAD47-56EB-449E-ABCE-96B2E92F55E6}\mpengine.dll
2011-12-18 21:03 . 2011-12-18 21:03 -------- d-----w- c:\program files\Common Files\Java
2011-12-18 21:02 . 2011-11-10 10:54 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-12-17 21:26 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 21:26 . 2011-12-17 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 00:49 . 2011-12-17 17:51 -------- d-----w- c:\documents and settings\Melody\Local Settings\Application Data\Google
2011-12-14 22:31 . 2011-12-14 22:31 -------- d-----w- c:\documents and settings\Melody\Application Data\Malwarebytes
2011-12-14 22:02 . 2011-12-14 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-14 21:43 . 2011-12-14 21:43 -------- d-----w- c:\documents and settings\Administrator
2011-12-14 02:25 . 2011-12-14 02:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-14 02:05 . 2011-12-14 02:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2011-06-15 19:45 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 07:47 . 2011-06-16 00:02 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-10 10:54 . 2011-06-16 00:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2011-06-16 00:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2004-08-04 04:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-04 04:56 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 11:23 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 04:56 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2011-06-15 19:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2011-06-15 19:45 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2011-06-15 19:45 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-06-15 17:30 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 04:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-10 22:27 . 2011-06-16 00:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-19_20.54.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-20 15:56 . 2011-12-20 15:56 16384 c:\windows\Temp\Perflib_Perfdata_27c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"nwiz"="nwiz.exe" [2006-05-10 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Melody\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 MpKsl645a122b;MpKsl645a122b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D18EAD47-56EB-449E-ABCE-96B2E92F55E6}\MpKsl645a122b.sys [12/20/2011 10:56 AM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/17/2011 4:27 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/17/2011 4:26 PM 22216]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL645A122B
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1220945662-1801674531-1003Core.job
- c:\documents and settings\Melody\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-17 17:49]
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-1220945662-1801674531-1003UA.job
- c:\documents and settings\Melody\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-17 17:49]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
FF - ProfilePath - c:\documents and settings\Melody\Application Data\Mozilla\Firefox\Profiles\12sktl3q.default\
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 11:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-20 11:13:22
ComboFix-quarantined-files.txt 2011-12-20 16:13
ComboFix2.txt 2011-12-19 20:57
.
Pre-Run: 103,166,754,816 bytes free
Post-Run: 103,156,269,056 bytes free
.
- - End Of File - - 7468EE7B00537A89EADB9AF2C4BB85F2

This post has been edited by cloudydays: 20 December 2011 - 12:31 PM

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 December 2011 - 02:01 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

start

settings

control panel

add/remove programs

Java™ 6 Update 26

remove

Install Java:

Please go here to install Java

click on the Free Java Download Button
click on Agree and start Free download
click on Run
click on run again
click on install
when install is complete click on close

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidentally close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#8 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 20 December 2011 - 05:44 PM

Thanks for the speedy reply!

When I opened the "add/remove programs" all I saw was "Java Update 30" so I didn't remove it.

I installed Java. (I had Java already on my computer so it reinstalled it?)

TFC ran fine.

Computer is doing well.

The logs from MBAM & Hijack this are below:

MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8406

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/20/2011 5:34:03 PM
mbam-log-2011-12-20 (17-34-03).txt

Scan type: Quick scan
Objects scanned: 188876
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:38:36 PM, on 12/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Delta_Patch3.exe
C:\WINDOWS\system32\MpSigStub.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6128 bytes

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 December 2011 - 06:14 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the ActiveX control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#10 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 20 December 2011 - 07:37 PM

I used hijackthis to remove some startup entries-

this is the ESET log:
hmmmm not liking what I'm seeing...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cf2c6b0a35d0774cb607a785baed1519
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-21 12:28:30
# local_time=2011-12-20 07:28:30 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 20356497 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=51247
# found=22
# cleaned=0
# scan_time=2083
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP171\A0024180.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP172\A0024231.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0024242.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0024256.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0024264.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0024270.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0024276.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0025276.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP173\A0026276.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP174\A0026303.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP174\A0026386.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP175\A0026672.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP176\A0026760.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP176\A0026769.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP177\A0026783.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP177\A0026802.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP178\A0026812.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP179\A0026828.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP181\A0026959.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP181\A0026971.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4CA3C38E-789F-4221-AAA8-3635E977024D}\RP181\A0026981.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I

This post has been edited by cloudydays: 20 December 2011 - 07:38 PM

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 20 December 2011 - 08:54 PM

Hello

out of that whole list only one thing to worry about

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
redbook.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

<-- Don't worry every little bit helps.

#12 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 21 December 2011 - 01:28 PM

Alright then!

SystemLook 30.07.11 by jpshortstuff
Log created at 13:25 on 21/12/2011 by Melody
Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.sys"
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [23:07 15/06/2011] [22:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
C:\WINDOWS\ServicePackFiles\i386\redbook.sys ------- 57600 bytes [18:40 13/04/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [19:45 15/06/2011] [18:40 13/04/2008] C6D5BEC27A7CCEAB4F60607B509C5127

-= EOF =-

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 21 December 2011 - 01:57 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

CopyFile:
C:\WINDOWS\ServicePackFiles\i386\redbook.sys C:\WINDOWS\system32\drivers\redbook.sys

Click Execute Now. Your computer will need to reboot in order to replace the files.
When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

<-- Don't worry every little bit helps.

#14 cloudydays

New Member

Group: Members
Posts: 13
Joined: 07-June 11

Posted 21 December 2011 - 02:35 PM

The log:

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\redbook.sys", destinationFile = "\??\c:\windows\system32\drivers\redbook.sys"