Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web browser redirect


  • This topic is locked This topic is locked
30 replies to this topic

#1 kingart

kingart

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 08:41 AM

I was downloading some music and ended up getting some malware, I guess. At first, I had AVG on as my antivirus program, and it didn't catch it, so I downloaded and installed avast!. After downloading avast, I kept getting an error message relating to a "win32:trojan-gen" virus. After doing some internet research, I uninstalled both AVG and avast! and installed Kaspersky to scan my computer. I guess it corrected it, because I do not get that win32 error anymore. i reinstalled avast after uninstalling Kapersky, and restarted my computer. Now when I go online and try to do a web search, I get redirected to random sites. Unfortunately, I do not have the Kaspersky report as I uninstalled it the program.

Here is the DDS text log:

DDS (Ver_09-11-24.02) - NTFSx86
Run by user at 7:15:33.37 on Fri 11/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.186 [GMT -6:00]

AV: avast! antivirus 4.8.1367 [VPS 091127-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Cricket Broadband Connect\mPhonetools.exe
C:\Program Files\Cricket Broadband Connect\Bytemobile\bmctl.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [plqpfh] RUNDLL32.EXE c:\windows\system32\msqdqnno.dll,w
mRun: [{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}] "c:\program files\cricket broadband connect\avqautorun.exe" "c:\program files\cricket broadband connect\mPhonetools.exe" /OnPlug=%s
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
IE: Crawler Search - tbr:iemenu
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {DB8CBEDF-CBE1-44A1-9273-D8DDB205BBA2} = 172.28.221.53 172.28.221.54
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
SSODL: mifanerop - {3dde553c-ef40-4528-b8d9-5ccdf71c552b} - c:\windows\system32\tinuhagu.dll
STS: gahurihor: {3dde553c-ef40-4528-b8d9-5ccdf71c552b} - c:\windows\system32\tinuhagu.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli zuvusibo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\5rfuxe41.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-27 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-27 20560]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2009-11-19 54416]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2009-11-19 12048]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2009-11-19 160400]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2009-11-19 114192]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2009-11-19 160400]
S3 gel90xne;gel90xne;c:\docume~1\user\locals~1\temp\gel90xne.sys [2004-3-15 31744]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [2009-11-19 22032]

=============== Created Last 30 ================

2009-11-27 02:27:09 252 ----a-w- c:\windows\system32\uses32.dat
2009-11-27 02:27:09 100 ----a-w- c:\windows\system32\flags.ini
2009-11-27 01:38:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-11-26 20:03:55 0 d-----w- c:\program files\Crawler
2009-11-26 18:51:59 237600 ----a-w- c:\windows\system32\drivers\str.sys
2009-11-26 10:30:04 53248 ------w- c:\windows\system32\trz10.tmp
2009-11-26 02:40:20 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-26 02:40:20 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-26 02:40:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-26 01:49:54 0 d-----w- c:\program files\Trend Micro
2009-11-26 01:34:07 0 d-----w- c:\windows\pss
2009-11-26 01:17:44 0 d-----w- c:\program files\CCleaner
2009-11-25 23:48:35 0 d-----w- c:\docume~1\alluse~1\applic~1\48984942
2009-11-25 23:05:57 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 22:42:10 53248 ----a-w- c:\windows\system32\caonima2.exe
2009-11-25 22:42:10 32768 ----a-w- c:\windows\system32\msqdqnno.dll
2009-11-25 22:34:09 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-25 22:27:57 0 d-----w- c:\docume~1\user\applic~1\AVG8
2009-11-25 16:31:35 0 d-----w- c:\program files\DAEMON Tools Pro
2009-11-25 16:31:35 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-11-25 16:24:32 0 d-----w- c:\docume~1\user\applic~1\DAEMON Tools Pro
2009-11-25 16:05:50 1172480 ----a-w- c:\windows\system32\SET4.tmp
2009-11-25 12:23:54 0 d-----w- c:\program files\MagicDisc
2009-11-25 12:19:18 0 d-----w- c:\program files\MagicISO
2009-11-25 09:37:20 0 d-----w- c:\docume~1\alluse~1\applic~1\iWin Games
2009-11-24 22:15:10 0 d-----w- c:\docume~1\user\applic~1\Magic Match
2009-11-24 17:16:45 0 d-sh--w- c:\windows\ftpcache
2009-11-24 13:35:32 0 d-----w- c:\docume~1\alluse~1\applic~1\GameXzone
2009-11-24 13:34:01 0 d-----w- c:\program files\Coffee Rush
2009-11-24 13:31:36 0 d-----w- c:\windows\Tibet Quest
2009-11-24 13:31:36 0 d-----w- c:\program files\Tibet Quest
2009-11-23 17:10:22 0 d-----w- c:\docume~1\alluse~1\applic~1\HipSoft
2009-11-22 15:18:08 0 d-----w- c:\program files\Infogrames Interactive
2009-11-22 15:13:48 0 d-----w- c:\program files\GamesBar
2009-11-22 15:12:49 0 d-----w- c:\program files\common files\Oberon Media
2009-11-22 15:12:48 0 d-----w- c:\program files\Oberon Media
2009-11-22 15:05:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Burger Island 2
2009-11-22 15:04:38 0 d-----w- c:\program files\common files\SWF Studio
2009-11-22 15:04:35 0 d-sh--w- c:\docume~1\user\applic~1\.#
2009-11-22 15:03:39 0 d-----w- c:\windows\Burger Island 2
2009-11-22 15:03:39 0 d-----w- c:\program files\Burger Island 2
2009-11-22 14:55:55 0 d-----w- c:\program files\Cwer
2009-11-22 14:33:26 0 d-----w- c:\docume~1\user\applic~1\Thinstall
2009-11-22 08:49:41 0 d-----w- c:\docume~1\user\applic~1\Meridian93
2009-11-22 08:15:58 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-21 22:19:19 0 d-----w- C:\games
2009-11-21 22:16:04 0 d-----w- c:\docume~1\alluse~1\applic~1\MumboJumbo
2009-11-21 22:15:44 0 d-----w- c:\windows\Luxor 2
2009-11-21 22:15:44 0 d-----w- c:\program files\Luxor 2
2009-11-21 22:11:12 0 d-----w- c:\windows\Luxor
2009-11-21 22:11:11 0 d-----w- c:\program files\Luxor
2009-11-21 14:23:03 0 d-----w- c:\docume~1\user\applic~1\Developer
2009-11-21 14:23:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Developer
2009-11-21 14:22:45 33 ----a-w- c:\windows\popcinfo.dat
2009-11-21 14:19:05 0 d-----w- c:\program files\The Village Mage - Spellbinder
2009-11-21 14:17:04 0 d-----w- c:\windows\Bejeweled 2 Deluxe
2009-11-21 14:17:04 0 d-----w- c:\program files\Bejeweled 2 Deluxe
2009-11-21 11:05:52 0 d-----w- c:\docume~1\alluse~1\applic~1\TERMINAL Studio
2009-11-21 11:05:38 0 d-----w- c:\docume~1\user\applic~1\Zylom
2009-11-21 11:03:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Zylom
2009-11-21 09:50:57 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy-PizzaParty
2009-11-21 09:41:12 0 d-----w- c:\program files\KONAMI
2009-11-21 03:23:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Sandlot Games
2009-11-21 03:22:36 0 d-----w- c:\program files\common files\Sandlot Shared
2009-11-21 03:22:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2009-11-21 03:17:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Awem
2009-11-21 01:25:46 0 d--h--w- c:\windows\PIF
2009-11-21 01:19:04 0 d-----w- c:\program files\LeeGTs Games
2009-11-20 18:24:13 0 d-----w- c:\windows\GemShop
2009-11-20 18:24:13 0 d-----w- c:\program files\GemShop
2009-11-19 23:57:52 0 d-----w- c:\program files\MPC HomeCinema
2009-11-19 20:41:02 601 ----a-w- c:\windows\eReg.dat
2009-11-19 20:40:55 1064456 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-11-19 20:38:01 0 d-----w- c:\program files\Maxis
2009-11-19 19:01:09 304128 ----a-w- c:\windows\IsUninst.exe
2009-11-19 18:54:29 0 d-----w- c:\documents and settings\user\WINDOWS
2009-11-19 18:51:36 0 ----a-w- c:\windows\PowerReg.dat
2009-11-19 18:13:39 0 d-----w- c:\docume~1\user\applic~1\Eyeblaster
2009-11-19 17:20:01 22032 ----a-w- c:\windows\system32\drivers\PTUMWCDF.sys
2009-11-19 17:20:00 12048 ----a-w- c:\windows\system32\drivers\PTUMWFLT.sys
2009-11-19 17:20:00 114192 ----a-w- c:\windows\system32\drivers\PTUMWNET.sys
2009-11-19 17:19:59 54416 ----a-w- c:\windows\system32\drivers\PTUMWBus.sys
2009-11-19 17:19:59 160400 ----a-w- c:\windows\system32\drivers\PTUMWVsp.sys
2009-11-19 17:19:59 160400 ----a-w- c:\windows\system32\drivers\PTUMWMdm.sys
2009-11-19 17:19:58 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2009-11-19 17:19:58 112144 ----a-w- c:\windows\system32\ptumwmcp64.dll
2009-11-19 17:19:58 100880 ----a-w- c:\windows\system32\ptumwmcp.dll
2009-11-19 17:19:57 0 d-----w- c:\program files\PANTECH
2009-11-19 17:19:46 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpe11.dll
2009-11-19 17:19:20 0 d-----w- c:\program files\common files\Avanquest software Shared
2009-11-19 17:19:19 0 d-----w- c:\program files\Cricket Broadband Connect
2009-11-19 17:12:35 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2009-11-26 05:06:50 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-23 13:59:12 28624 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-10-08 15:07:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-25 23:47:39 1118522 --sha-w- c:\windows\system32\lasozodi.exe
2009-08-25 22:42:13 53248 --sha-w- c:\windows\system32\lejivaya.dll
2009-08-25 23:47:39 39424 --sha-w- c:\windows\system32\lopivasa.dll

============= FINISH: 7:17:18.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 10:25 AM

Hi kingart,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 01:43 PM

First off, thanks for taking the time out to help me. I really appreciate it.

I did as asked, and ran the MBAM program. It did ask me to reboot, and I also did that. Here is the log of what MBAM found:

Malwarebytes' Anti-Malware 1.41
Database version: 3243
Windows 5.1.2600 Service Pack 2

11/27/2009 12:29:50 PM
mbam-log-2009-11-27 (12-29-50).txt

Scan type: Quick Scan
Objects scanned: 103983
Time elapsed: 18 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\msqdqnno.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plqpfh (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\48984942 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqdqnno.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\lasozodi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lejivaya.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lopivasa.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trz10.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\caonima2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\48984942\48984942.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Thanks again, and I will check and see if this works. I came through my email to respond to this, so I haven't had a chance to see if I am still getting redirects.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 02:11 PM

Hi again kingart,

Many of baddies are removed but we are not done yet.
  • I see on the log the Crawler Toolbar is installed on your computer:


    This program is an open to debate toolbar which might be related to adware or is installed without informed consent of the user. You may read more about Crawler Toolbar HERE and HERE

    If you decide to uninstall Crawler Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Crawler Toolbar with Web Security Guard

    Also remove the folder in bold: C:\Program Files\Crawler

  • Run a quick scan of MBAM again. Let remove what it found if it found anything and post the log. If the scan is clean just tell me about it, no need for the log.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 03:17 PM

Sorry for jumping the gun on you...

So, I uninstalled the Crawler toolbar and removed the folder from my Program Files directory. I also re-ran MBAM and it came back clean. After running ComboFix , installing Microsoft Windows Recovery Console, and restarting my computer, here is the Combofix report:

ComboFix 09-11-26.02 - user 11/27/2009 13:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.229 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1367 [VPS 091127-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\.#

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 18:07 . 2009-11-27 18:07 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-11-27 18:07 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 18:07 . 2009-11-27 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 18:07 . 2009-11-27 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 18:07 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 11:10 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-27 11:10 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-27 11:10 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-27 11:10 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-27 11:10 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-27 11:10 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-27 11:10 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-27 11:10 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-27 11:10 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-27 08:30 . 2009-11-27 08:30 -------- d-----w- c:\program files\Windows Defender
2009-11-27 01:38 . 2009-11-27 08:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-26 08:07 . 2009-11-26 08:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-11-26 03:28 . 2009-11-26 03:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-26 02:40 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-26 02:40 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-26 02:40 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-26 02:40 . 2009-11-26 02:40 -------- d-----w- c:\program files\Alwil Software
2009-11-26 01:49 . 2009-11-26 01:49 -------- d-----w- c:\program files\Trend Micro
2009-11-26 01:28 . 2009-11-26 01:28 12328 ----a-w- c:\documents and settings\Administrator.USER-E29A758017\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-26 01:17 . 2009-11-26 01:17 -------- d-----w- c:\program files\CCleaner
2009-11-25 23:05 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 22:43 . 2009-11-25 22:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2009-11-25 22:43 . 2009-11-25 22:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google
2009-11-25 22:34 . 2009-11-25 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-25 16:31 . 2009-11-25 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-11-25 16:24 . 2009-11-25 22:29 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Pro
2009-11-25 12:23 . 2009-11-25 22:29 -------- d-----w- c:\program files\MagicDisc
2009-11-25 12:19 . 2009-11-25 22:29 -------- d-----w- c:\program files\MagicISO
2009-11-25 09:37 . 2009-11-25 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-11-24 22:15 . 2009-11-24 22:15 -------- d-----w- c:\documents and settings\user\Application Data\Magic Match
2009-11-24 17:16 . 2009-11-24 17:16 -------- d-sh--w- c:\windows\ftpcache
2009-11-24 13:35 . 2009-11-24 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\GameXzone
2009-11-24 13:34 . 2009-11-24 13:34 -------- d-----w- c:\program files\Coffee Rush
2009-11-24 13:31 . 2009-11-24 13:31 -------- d-----w- c:\program files\Tibet Quest
2009-11-24 13:31 . 2009-11-24 13:31 -------- d-----w- c:\windows\Tibet Quest
2009-11-23 17:10 . 2009-11-23 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2009-11-22 15:18 . 2009-11-22 15:18 -------- d-----w- c:\program files\Infogrames Interactive
2009-11-22 15:13 . 2009-11-22 15:13 -------- d-----w- c:\program files\GamesBar
2009-11-22 15:12 . 2009-11-22 15:12 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-11-22 15:12 . 2009-11-22 15:12 -------- d-----w- c:\program files\Oberon Media
2009-11-22 15:05 . 2009-11-22 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Burger Island 2
2009-11-22 15:04 . 2009-11-22 15:04 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-11-22 15:04 . 2009-11-27 11:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-22 15:03 . 2009-11-22 15:03 -------- d-----w- c:\program files\Burger Island 2
2009-11-22 15:03 . 2009-11-22 15:03 -------- d-----w- c:\windows\Burger Island 2
2009-11-22 14:55 . 2009-11-22 14:55 -------- d-----w- c:\program files\Cwer
2009-11-22 14:33 . 2009-11-22 15:09 -------- d-----w- c:\documents and settings\user\Application Data\Thinstall
2009-11-22 14:33 . 2009-11-22 14:33 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Thinstall
2009-11-22 08:49 . 2009-11-22 08:49 -------- d-----w- c:\documents and settings\user\Application Data\Meridian93
2009-11-22 08:15 . 2009-11-27 04:29 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-21 22:19 . 2009-11-21 22:19 -------- d-----w- C:\games
2009-11-21 22:16 . 2009-11-21 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-11-21 22:15 . 2009-11-21 22:15 -------- d-----w- c:\program files\Luxor 2
2009-11-21 22:15 . 2009-11-21 22:15 -------- d-----w- c:\windows\Luxor 2
2009-11-21 22:11 . 2009-11-21 22:11 -------- d-----w- c:\windows\Luxor
2009-11-21 22:11 . 2009-11-21 22:11 -------- d-----w- c:\program files\Luxor
2009-11-21 21:39 . 2009-11-21 21:39 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2009-11-21 14:23 . 2009-11-21 14:23 -------- d-----w- c:\documents and settings\user\Application Data\Developer
2009-11-21 14:23 . 2009-11-21 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Developer
2009-11-21 14:22 . 2009-11-24 03:17 33 ----a-w- c:\windows\popcinfo.dat
2009-11-21 14:19 . 2009-11-21 14:19 -------- d-----w- c:\program files\The Village Mage - Spellbinder
2009-11-21 14:17 . 2009-11-21 14:17 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2009-11-21 14:17 . 2009-11-21 14:17 -------- d-----w- c:\windows\Bejeweled 2 Deluxe
2009-11-21 11:05 . 2009-11-21 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TERMINAL Studio
2009-11-21 11:05 . 2009-11-21 11:05 -------- d-----w- c:\documents and settings\user\Application Data\Zylom
2009-11-21 11:03 . 2009-11-21 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-11-21 11:03 . 2006-09-26 19:03 98304 ----a-w- c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
2009-11-21 11:03 . 2006-09-26 19:03 161976 ----a-w- c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\zylomgamesplayer.dll
2009-11-21 09:50 . 2009-11-21 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-11-21 09:41 . 2009-11-21 09:42 -------- d-----w- c:\program files\KONAMI
2009-11-21 03:23 . 2009-11-21 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-11-21 03:22 . 2009-11-21 03:22 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2009-11-21 03:22 . 2009-11-21 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-11-21 03:17 . 2009-11-21 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Awem
2009-11-21 02:35 . 2009-11-21 22:20 -------- d-----w- c:\documents and settings\user\Application Data\PlayFirst
2009-11-21 02:35 . 2009-11-21 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-11-21 01:25 . 2009-11-21 01:25 -------- d--h--w- c:\windows\PIF
2009-11-21 01:19 . 2009-11-25 09:34 -------- d-----w- c:\program files\LeeGTs Games
2009-11-20 18:24 . 2009-11-20 18:24 -------- d-----w- c:\program files\GemShop
2009-11-20 18:24 . 2009-11-20 18:24 -------- d-----w- c:\windows\GemShop
2009-11-19 23:57 . 2009-11-19 23:57 -------- d-----w- c:\program files\MPC HomeCinema
2009-11-19 20:41 . 2009-11-19 20:41 601 ----a-w- c:\windows\eReg.dat
2009-11-19 20:38 . 2009-11-19 20:38 -------- d-----w- c:\program files\Maxis
2009-11-19 19:01 . 1998-01-23 18:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-11-19 18:54 . 2009-11-19 18:54 -------- d-----w- c:\documents and settings\user\WINDOWS
2009-11-19 18:51 . 2009-11-19 18:51 0 ----a-w- c:\windows\PowerReg.dat
2009-11-19 18:45 . 2009-11-27 08:31 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-19 18:13 . 2009-11-19 18:13 -------- d-----w- c:\documents and settings\user\Application Data\Eyeblaster
2009-11-19 17:20 . 2009-11-19 17:20 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\BVRP Software
2009-11-19 17:20 . 2009-07-18 23:14 22032 ----a-w- c:\windows\system32\drivers\PTUMWCDF.sys
2009-11-19 17:20 . 2009-07-18 23:14 114192 ----a-w- c:\windows\system32\drivers\PTUMWNET.sys
2009-11-19 17:20 . 2009-07-18 23:14 12048 ----a-w- c:\windows\system32\drivers\PTUMWFLT.sys
2009-11-19 17:12 . 2004-08-04 05:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 08:31 . 2009-11-19 17:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 01:33 . 2009-10-08 16:45 -------- d-----w- c:\program files\AVG
2009-11-26 05:06 . 2004-08-04 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-25 22:54 . 2009-10-08 15:51 12328 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-25 22:29 . 2009-11-25 16:31 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-11-25 22:27 . 2009-11-25 22:27 -------- d-----w- c:\documents and settings\user\Application Data\AVG8
2009-11-23 13:59 . 2004-08-04 12:00 28624 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-11-20 22:06 . 2009-11-19 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-11-19 19:17 . 2009-10-08 15:11 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-19 17:19 . 2009-11-19 17:19 -------- d-----w- c:\program files\PANTECH
2009-11-19 17:19 . 2009-11-19 17:19 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpe11.dll
2009-11-19 17:19 . 2009-11-19 17:19 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpe11.dll
2009-11-19 17:19 . 2009-11-19 17:19 -------- d-----w- c:\program files\Cricket Broadband Connect
2009-11-19 17:19 . 2009-11-19 17:19 -------- d-----w- c:\program files\Common Files\Avanquest software Shared
2009-10-08 19:53 . 2009-10-08 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-08 16:32 . 2009-10-08 16:32 0 ----a-w- c:\windows\nsreg.dat
2009-10-08 16:28 . 2009-10-08 16:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-08 16:26 . 2009-10-08 16:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-08 16:24 . 2009-10-08 16:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-10-08 15:12 . 2009-10-08 15:12 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 15:07 . 2009-10-08 15:07 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-25 05:56 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-25 135664]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}"="c:\program files\Cricket Broadband Connect\AvqAutoRun.exe" [2009-04-17 73728]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-15 1818624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-11-27 256000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/27/2009 5:10 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/27/2009 5:10 AM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [11/19/2009 11:19 AM 54416]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [11/19/2009 11:20 AM 12048]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [11/19/2009 11:19 AM 160400]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [11/19/2009 11:20 AM 114192]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [11/19/2009 11:19 AM 160400]
S3 gel90xne;gel90xne;\??\c:\docume~1\user\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\user\LOCALS~1\Temp\gel90xne.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [11/19/2009 11:20 AM 22032]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-706699826-682003330-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 22:43]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-706699826-682003330-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 22:43]

2009-11-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
TCP: {DB8CBEDF-CBE1-44A1-9273-D8DDB205BBA2} = 172.28.221.53 172.28.221.54
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5rfuxe41.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{3dde553c-ef40-4528-b8d9-5ccdf71c552b} - c:\windows\system32\tinuhagu.dll
SSODL-mifanerop-{3dde553c-ef40-4528-b8d9-5ccdf71c552b} - c:\windows\system32\tinuhagu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82346369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8579fc3
\Driver\ACPI -> ACPI.sys @ 0xf84eccb8
\Driver\atapi -> atapi.sys @ 0xf84a47b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 20:07

Pre-Run: 52,550,541,312 bytes free
Post-Run: 52,690,407,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D8E5957382E636A59CB0AAF5C9A4821B


I won't be so anxious this time, and will await for your response!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 03:35 PM

We have to take a good look at a few things. The rootkit scanner is detecting possible MBR rootkit hooks.
  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    "c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe"

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • Knowing Daemon Tools is known to interfere with rootkit scanners, we need to uninstall it fully and remove its folders. You may install it again later when we are done and the system is clean. Please tell me if you have problem with it. If not please uninstall it and remove any remaining folders. After uninstalling it you can use Windows search to search for Daemon and remove all the remnants.

Edited by farbar, 27 November 2009 - 03:36 PM.
Spelling


#7 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 03:48 PM

OK,

I uninstalled Daemon, searched for all the lingering files and deleted them. Here are the results of the VirusTotal scan:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.27 -
AhnLab-V3 5.0.0.2 2009.11.27 -
AntiVir 7.9.1.79 2009.11.27 -
Antiy-AVL 2.0.3.7 2009.11.27 -
Authentium 5.2.0.5 2009.11.27 -
Avast 4.8.1351.0 2009.11.27 -
AVG 8.5.0.426 2009.11.27 -
BitDefender 7.2 2009.11.27 -
CAT-QuickHeal 10.00 2009.11.27 -
ClamAV 0.94.1 2009.11.27 -
Comodo 3058 2009.11.27 -
DrWeb 5.0.0.12182 2009.11.27 -
eSafe 7.0.17.0 2009.11.26 -
eTrust-Vet 35.1.7146 2009.11.27 -
F-Prot 4.5.1.85 2009.11.27 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.27 -
GData 19 2009.11.27 -
Ikarus T3.1.1.74.0 2009.11.27 -
Jiangmin 11.0.800 2009.11.27 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.11.27 -
McAfee 5815 2009.11.27 -
McAfee+Artemis 5815 2009.11.27 -
McAfee-GW-Edition 6.8.5 2009.11.27 -
Microsoft 1.5302 2009.11.27 -
NOD32 4643 2009.11.27 -
Norman 6.03.02 2009.11.27 -
nProtect 2009.1.8.0 2009.11.27 -
Panda 10.0.2.2 2009.11.27 -
PCTools 7.0.3.5 2009.11.27 -
Prevx 3.0 2009.11.27 -
Rising 22.23.04.09 2009.11.27 -
Sophos 4.48.0 2009.11.27 -
Sunbelt 3.2.1858.2 2009.11.27 -
Symantec 1.4.4.12 2009.11.27 -
TheHacker 6.5.0.2.079 2009.11.26 -
TrendMicro 9.100.0.1001 2009.11.27 -
VBA32 3.12.12.0 2009.11.27 -
ViRobot 2009.11.27.2058 2009.11.27 -
VirusBuster 5.0.21.0 2009.11.27 -
Additional information
File size: 86016 bytes
MD5...: 8c27e380661ecbe327203f3b1456dd2c
SHA1..: 56e3abca71e56065fb1e91be7a070ddb8fe6f132
SHA256: 2bcfbfc72d442e492faa9e28aa18ccb7c2cee9a5ebfc6620bd164d2052886fe8
ssdeep: 1536:VYa5KvS+L6oSmpzovmSqbGSS3i8BkIk+asaMq5eZw:GS+Lhvb8KnH5eu
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2cd8
timedatestamp.....: 0x496aec51 (Mon Jan 12 07:08:01 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xcf7a 0xd000 6.63 c602b5c4bc59e54d595f400e5a6aaf04
.rdata 0xe000 0x35f8 0x4000 4.79 14f76102f0e85272ccdb209a7d35e625
.data 0x12000 0x2ca4 0x2000 1.42 0ab3f9067a051cc346b8ae016e9a4d62
.rsrc 0x15000 0xb0 0x1000 3.05 77ce695c811789dde0a61350084b87ab

( 4 imports )
> msi.dll: -, -, -
> SHLWAPI.dll: StrDupW, PathAppendW, PathRemoveFileSpecW, StrChrA
> KERNEL32.dll: HeapFree, GetExitCodeProcess, WaitForSingleObject, CloseHandle, LocalFree, MultiByteToWideChar, GetProcessHeap, CreateProcessW, WideCharToMultiByte, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, WriteConsoleW, GetFileType, GetStdHandle, GetModuleFileNameW, GetCommandLineA, GetVersionExA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStartupInfoA, DeleteCriticalSection, Sleep, GetLastError, GetProcAddress, GetModuleHandleA, ExitProcess, LoadLibraryW, GetModuleFileNameA, RaiseException, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSection, HeapReAlloc, VirtualAlloc, LoadLibraryA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, SetFilePointer, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, SetStdHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA
> ADVAPI32.dll: CryptReleaseContext, CryptCreateHash, CryptAcquireContextW, CryptHashData, CryptDestroyHash, CryptGetHashParam

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 04:05 PM

Good. :(
  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Go to Start => Run and copy/paste the following line in the run box and click OK.

    mbr.exe -t >log.txt&start log.txt

    A log file opens. Please post the content of it.


#9 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 04:50 PM

GMER Results:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 15:36:57
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\afldqaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xECCAF6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xECCAF574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xECCAFA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xECCAF14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xECCAF64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xECCAF08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xECCAF0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xECCAF76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xECCAF72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xECCAF8AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82346369

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


I couldn't seem to copy the information for the second part, so I wrote it down and am placing it here:

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.exe disk.sys ACPI.sys hal.dll >>unknown [0x82346369]<<
kernel MBR read successfully
user and kernel MBR ok

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 05:09 PM

There is a suspicious modification of atapi.sys file. This is done a by a rootkit that is hard to detect and remove by many antivirus programs. We need to replace it. There should be a clean copy on the system but it is hard to be sure. Please tell me if you have access to another Windows XP Service Pack 2. We need to copy one file (atapi.sys) from there. You can ask your friends to send you a copy by e-mail. I will tell you where on the system to find it and the size of it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#11 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 05:18 PM

Farber,

Yes I do have a copy of Windows XP SP2 here. Here are the results of the SystemLook program:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:14 on 27/11/2009 by user (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [20:03 27/11/2009] [05:06 26/11/2009] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 95360 bytes [12:00 04/08/2004] [05:06 26/11/2009] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [12:00 04/08/2004] [05:06 26/11/2009] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 05:26 PM

  • Very well, make a copy of the file from the clean Windows in the following location:

    C:\WINDOWS\system32\drivers\atapi.sys

    If you right-click the file and select Properties, it should have a size of 95360 bytes. Please put a copy on the root of the C drive of the infected computer. The path will be: C:\atapi.sys

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#13 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 05:49 PM

I have a 49KB ATAPI file on my XP SP 2 disk. It is not in the location you stated, however. It is located at E:\I386, and it states that is a SY file, not a sys file. Is this what I should be copying to my C: drive?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 AM

Posted 27 November 2009 - 06:06 PM

I thought you have Windows installed on another computer.
  • Insert your Windows CD.

  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @echo off
    expand /r E:\I386\atapi.sy_ c:\atapi.sys >log.txt
    dir /a c:\atapi.sys >>log.txt
    start log.txt
    del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click dirlook.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#15 kingart

kingart
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 27 November 2009 - 06:12 PM

Here are those results:

Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding e:\i386\atapi.sy_ to e:\i386\atapi.sys.
Can't open output file: e:\i386\atapi.sys.

Can't open input file: c:\atapi.sys.

Volume in drive C has no label.
Volume Serial Number is 10DC-761D

Directory of c:\

Here are those results:

Microsoft ® File Expansion Utility Version 5.1.2600.0
Copyright © Microsoft Corp 1990-1999. All rights reserved.

Expanding e:\i386\atapi.sy_ to e:\i386\atapi.sys.
Can't open output file: e:\i386\atapi.sys.

Can't open input file: c:\atapi.sys.

Volume in drive C has no label.
Volume Serial Number is 10DC-761D

Directory of c:\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users