Browsers hijacked, don't know by what

Hi and thanks for any help you can provide.

My wife temporarily disabled Malwarebytes because it was blocking access to websites she wanted to see. So of course what happened? Within a day both IE and Firefox were hijacked and a Malwarebytes full system scan showed almost 400 "trojan downloaders." Malwarebytes says it was able to remove the trojan downloaders and now scans with both Malwarebytes and McAfee come back clean. However, IE and FF remain hijacked, with numerous unwanted redirects every time they're used.

I followed the detailed instructions here for posting a problem and was able to do everything except run RootRepeal. I downloaded it but when started first it says "FOPS Device IO Control Error" and then it says "Could not initialize driver." And in the end the only report out of it is this crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP0
Exception Code: 0xc0000005
Exception Address: 0x00422bf2
Attempt to read from address: 0x00000004


Sorry about that, but if you know a way to make it work I'll do it.

My DDS report is below and the "attach" file is attached. Again, much thanks and appreciation for your assistance:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ian at 21:35:14.19 on Thu 12/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2046.1031 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\dlbtcoms.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\java.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\sttray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Ian\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Piracy] "c:\program files\malwarebytes' anti-malware\mbam.exe" /piracy
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs:
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\ian\appdata\roaming\mozilla\firefox\profiles\dlf9tu04.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - plugin: c:\users\alissa\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-6-5 19160]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-20 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-20 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]

=============== Created Last 30 ================

2009-12-04 01:06:43 696832 ----a-w- c:\windows\isRS-000.tmp
2009-12-03 22:31:17 0 d-----w- c:\program files\Trend Micro
2009-11-27 21:25:32 0 d--h--w- c:\programdata\CanonIJEGV
2009-11-13 03:31:01 268 ---ha-w- C:\sqmdata04.sqm
2009-11-13 03:31:01 244 ---ha-w- C:\sqmnoopt04.sqm
2009-11-13 02:56:28 0 d--h--w- c:\programdata\CanonBJ
2009-11-13 02:54:25 15872 ----a-w- c:\windows\system32\CNHMCA.DLL
2009-11-13 02:54:24 192512 ----a-w- c:\windows\system32\CNC860O.DLL
2009-11-13 02:54:23 98304 ----a-w- c:\windows\system32\CNC860I.DLL
2009-11-13 02:54:23 274432 ----a-w- c:\windows\system32\CNC860L.DLL
2009-11-13 02:54:22 14592 ----a-w- c:\windows\system32\CNC1735D.TBL
2009-11-13 02:54:22 1331200 ----a-w- c:\windows\system32\CNC860C.DLL
2009-11-13 02:53:07 236032 ----a-w- c:\windows\system32\CNMLM9N.DLL
2009-11-12 04:14:38 0 d-----w- c:\users\ian\appdata\roaming\IObit
2009-11-12 04:14:36 0 d-----w- c:\program files\IObit
2009-11-12 03:51:24 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 02:56:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-13 02:56:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-13 02:55:23 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-28 04:04:21 174 --sha-w- c:\program files\desktop.ini
2009-02-28 03:58:08 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-05 19:19:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-04-05 19:19:41 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-04-05 19:19:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-05 19:19:41 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-09-03 06:14:38 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:36:53.98 ===============

Hello SpudSpudly Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Since you could not run RootRepeal successfully let's see if this will work:


Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries







Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall

Thanks for helping out.............

Here's the Gmer.txt file:



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 20:35:41
Windows 6.0.6000
Running: nhih19fz.exe; Driver: C:\Users\Ian\AppData\Local\Temp\kfdcapoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C62D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C62D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C62D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C62D7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C62D81F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C62D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C62D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C62D7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C62D847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C62D833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C62D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C62D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C62D80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C62D7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C62D7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C62D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device E Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 84C15618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

You're welcome, lets do the following next:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I'd love to do that but I can't. I get the message "Firefox can't find the file at [url="http://download.bleepingcomputer.com/sUBs/ComboFix.exe.""]http://download.bleepingcomputer.com/sUBs/...oFix.exe."[/url] when I try. I hope that doesn't mean I have a particularly nasty malware problem.

Wait. I was able to download it with IE. I'll report back.

It wasn't easy but here it is...............



ComboFix 09-12-06.09 - Ian 12/06/2009 23:56.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2046.1372 [GMT -5:00]
Running from: c:\users\Ian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2348730027-1478731520-1860990113-500
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-07 05:09 . 2009-12-07 05:11 -------- d-----w- c:\users\Ian\AppData\Local\temp
2009-12-07 05:09 . 2009-12-07 05:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-07 05:09 . 2009-12-07 05:09 -------- d-----w- c:\users\Alissa\AppData\Local\temp
2009-12-05 03:39 . 2009-12-05 03:39 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-04 04:07 . 2009-12-04 04:08 117760 ----a-w- c:\users\Ian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 22:31 . 2009-12-03 22:31 -------- d-----w- c:\program files\Trend Micro
2009-11-27 21:25 . 2009-11-27 21:25 -------- d--h--w- c:\programdata\CanonIJEGV
2009-11-13 02:56 . 2009-11-13 02:56 -------- d--h--w- c:\programdata\CanonBJ
2009-11-13 02:56 . 2008-10-26 10:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP9N.DLL
2009-11-13 02:56 . 2008-10-26 10:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD9N.DLL
2009-11-13 02:55 . 2009-11-13 02:55 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-11-13 02:54 . 2008-08-25 23:02 15872 ----a-w- c:\windows\system32\CNHMCA.DLL
2009-11-13 02:54 . 2008-07-16 14:39 192512 ----a-w- c:\windows\system32\CNC860O.DLL
2009-11-13 02:54 . 2008-10-27 18:46 98304 ----a-w- c:\windows\system32\CNC860I.DLL
2009-11-13 02:54 . 2008-10-23 22:37 274432 ----a-w- c:\windows\system32\CNC860L.DLL
2009-11-13 02:54 . 2008-10-27 18:46 1331200 ----a-w- c:\windows\system32\CNC860C.DLL
2009-11-13 02:53 . 2008-10-26 10:00 236032 ----a-w- c:\windows\system32\CNMLM9N.DLL
2009-11-12 04:14 . 2009-11-12 04:14 -------- d-----w- c:\users\Ian\AppData\Roaming\IObit
2009-11-12 04:14 . 2009-11-12 04:14 -------- d-----w- c:\program files\IObit
2009-11-12 03:51 . 2009-11-12 03:51 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 04:49 . 2007-10-11 02:32 -------- d-----w- c:\users\Ian\AppData\Roaming\WTablet
2009-12-06 20:07 . 2007-09-25 14:19 -------- d-----w- c:\users\Alissa\AppData\Roaming\WTablet
2009-12-04 01:07 . 2009-06-06 04:18 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 01:06 . 2009-06-25 02:49 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-06-06 04:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-06-06 04:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 05:47 . 2007-09-02 22:31 4096 d-----w- c:\program files\Java
2009-11-27 21:21 . 2008-10-15 04:30 -------- d-----w- c:\users\Ian\AppData\Roaming\Canon
2009-11-18 22:32 . 2009-02-21 04:44 4096 d-----w- c:\program files\McAfee
2009-11-13 03:22 . 2008-10-15 02:34 4096 d-----w- c:\program files\Canon
2009-11-13 02:51 . 2009-11-13 02:51 -------- d--h--w- c:\program files\CanonBJ
2009-11-12 03:44 . 2007-09-02 22:40 4096 d-----w- c:\program files\Roxio
2009-11-12 03:43 . 2007-09-02 22:40 4096 d-----w- c:\program files\Common Files\Sonic Shared
2009-11-12 03:28 . 2008-10-15 02:44 -------- d-----w- c:\programdata\ScanSoft
2009-11-12 03:23 . 2008-03-30 22:53 -------- d-----w- c:\program files\Common Files\Intuit
2009-11-12 03:05 . 2008-10-22 16:39 -------- d-----w- c:\users\Alissa\AppData\Roaming\Canon
2009-10-19 13:22 . 2009-04-28 01:09 4096 d-----w- c:\users\Alissa\AppData\Roaming\Move Networks
2009-10-12 00:29 . 2008-09-19 02:54 256 ----a-w- c:\windows\system32\pool.bin
2009-10-11 09:17 . 2009-01-01 05:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 17:39 . 2009-10-06 17:39 127872 ----a-w- c:\users\Alissa\AppData\Roaming\Move Networks\uninstall.exe
2009-10-06 17:39 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Alissa\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-09-16 14:22 . 2009-02-21 04:45 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-02-21 04:45 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-02-21 04:45 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-01-09 17:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-02-21 04:42 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2007-09-03 06:14 . 2007-09-03 06:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-03 1006264]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Malwarebytes Piracy"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]

c:\users\Alissa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-9-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2007-04-10 18:46 709992 ----a-w- c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2348730027-1478731520-1860990113-1000]
"EnableNotificationsRef"=dword:00000004

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/15/2009 11:38 PM 276816]
R2 TabletServicePen;TabletServicePen;c:\windows\System32\Pen_Tablet.exe [9/25/2007 9:17 AM 1373480]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [6/5/2009 11:18 PM 19160]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\dlf9tu04.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - plugin: c:\users\Alissa\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini uinstrsc.dll
AddRemove-UT2004 - c:\program files\UT2004\System\Setup.exe uninstall UT2004



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 00:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84C03618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8299fd1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x8077f9ba
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-07 00:14
ComboFix-quarantined-files.txt 2009-12-07 05:14

Pre-Run: 18,564,820,992 bytes free
Post-Run: 19,444,457,472 bytes free

- - End Of File - - 375ECF3E000BEEF6C1E2DD3C8D4BAECF

Please run GMER once again just like you did the last time and post the log it produces.

So just for an update, I'm still getting redirects, I get popup tabs in FF, and sometimes it just blocks access altogether to sites like this one bleepingcomputer. Then when I exit FF I have to go into task manager and kill FF manually. I also, to my surprise, emailed myself a link at work and when I opened it there it redirected me to another site. Kind of like a redirect packaged to go. I didn't realize that was possible.

Anyway, after a few attempts I've been able to run gmer again. Here it is:



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 20:49:57
Windows 6.0.6000
Running: nhih19fz.exe; Driver: C:\Users\Ian\AppData\Local\Temp\kfdcapoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8CDE679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8CDE6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8CDE674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8CDE67DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8CDE681F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8CDE6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8CDE6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8CDE67B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8CDE6847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8CDE6833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8CDE678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8CDE6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8CDE680B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8CDE67F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8CDE67C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8CDE6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 84C31618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



THANKS AS ALWAYS!!!!

Edited by SpudSpudly, 07 December 2009 - 08:57 PM.

I should add that I also keep getting MBAM pop-up messages every 5-10 minutes telling me it blocked access to one dangerous IP or another. Even when I have no browsers open.

Let's try this next.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

I made an error and accidentally ran the program twice, which I believe caused it to overwrite the original TDDSkiller.txt file. But before I did that I noticed that the original txt file did indicate two rootkits (I think) and fixed both of them (hooray, I hope).

This is the second TDDSkiller.txt file, which I hope is helpful somehow. Sorry I overwrote the first one:



Host Name: INSPIRONE1705
OS Name: Microsoftr Windows VistaT Home Premium
OS Version: 6.0.6000 N/A Build 6000
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Ian
Registered Organization:
Product ID: 89578-OEM-7332157-00204
Original Install Date: 9/2/2007, 6:23:48 PM
System Boot Time: 12/7/2009, 8:24:39 PM
System Manufacturer: Dell Inc.
System Model: MP061
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 15 Stepping 2 GenuineIntel ~1733 Mhz
BIOS Version: Dell Inc. A08, 4/2/2007
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,046 MB
Available Physical Memory: 948 MB
Page File: Max Size: 4,308 MB
Page File: Available: 3,125 MB
Page File: In Use: 1,183 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\INSPIRONE1705
Hotfix(s): 116 Hotfix(s) Installed.
[01]: {D25F7D07-2097-4247-9E59-0EED6F7680BF} - Microsoft Works 8.0 installation.
[02]: {8B2F38F1-6D3C-4D87-AD2F-954AF6942800}
[03]: 944036
[04]: KB905866
[05]: KB925902
[06]: KB927084
[07]: KB928135
[08]: KB928190
[09]: KB928253
[10]: KB929011
[11]: KB929399
[12]: KB929577
[13]: KB929615
[14]: KB929685
[15]: KB929735
[16]: KB929761
[17]: KB929762
[18]: KB929763
[19]: KB929777
[20]: KB929909
[21]: KB929913
[22]: KB930163
[23]: KB930178
[24]: KB930495
[25]: KB930568
[26]: KB930857
[27]: KB931099
[28]: KB931174
[29]: KB931573
[30]: KB931621
[31]: KB932094
[32]: KB932309
[33]: KB932471
[34]: KB932818
[35]: KB933579
[36]: KB933729
[37]: KB934612
[38]: KB935652
[39]: KB936003
[40]: KB936021
[41]: KB936357
[42]: KB936782
[43]: KB936825
[44]: KB937077
[45]: KB938127
[46]: KB939159
[47]: KB941202
[48]: KB941568
[49]: KB941569
[50]: KB941644
[51]: KB943055
[52]: KB943078
[53]: KB945553
[54]: KB946456
[55]: KB949939
[56]: KB905866
[57]: KB928089
[58]: KB929123
[59]: KB929916
[60]: KB931213
[61]: KB932246
[62]: KB933360
[63]: KB933566
[64]: KB933928
[65]: KB935280
[66]: KB935807
[67]: KB936824
[68]: KB937143
[69]: KB937287
[70]: KB938123
[71]: KB938194
[72]: KB938371
[73]: KB938464
[74]: KB938979
[75]: KB939653
[76]: KB941649
[77]: KB941651
[78]: KB942615
[79]: KB942624
[80]: KB942763
[81]: KB943302
[82]: KB943411
[83]: KB943899
[84]: KB948609
[85]: KB948610
[86]: KB950125
[87]: KB950760
[88]: KB950762
[89]: KB950974
[90]: KB951066
[91]: KB951376
[92]: KB951698
[93]: KB952069
[94]: KB952287
[95]: KB953155
[96]: KB954154
[97]: KB954211
[98]: KB954459
[99]: KB955020
[100]: KB955069
[101]: KB955839
[102]: KB956390
[103]: KB956802
[104]: KB956841
[105]: KB957097
[106]: KB957321
[107]: KB957388
[108]: KB958481
[109]: KB958483
[110]: KB958623
[111]: KB958624
[112]: KB958644
[113]: KB958687
[114]: KB959130
[115]: KB960715
[116]: KB968220
Network Card(s): 2 NIC(s) Installed.
[01]: Broadcom 440x 10/100 Integrated Controller
Connection Name: Local Area Connection
Status: Media disconnected
[02]: Dell Wireless 1390 WLAN Mini-Card
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.100
[02]: fe80::195b:9a1b:e23e:81fb
22:50:11:156 2024 ForceUnloadDriver: NtUnloadDriver error 2
22:50:11:156 2024 ForceUnloadDriver: NtUnloadDriver error 2
22:50:11:159 2024 ForceUnloadDriver: NtUnloadDriver error 2
22:50:11:159 2024 main: Driver KLMD successfully dropped
22:50:11:241 2024 main: Driver KLMD successfully loaded
22:50:11:241 2024
Scanning Registry ...
22:50:11:241 2024 ScanServices: Searching service UACd.sys
22:50:11:241 2024 ScanServices: Open/Create key error 2
22:50:11:241 2024 ScanServices: Searching service TDSSserv.sys
22:50:11:241 2024 ScanServices: Open/Create key error 2
22:50:11:241 2024 ScanServices: Searching service gaopdxserv.sys
22:50:11:241 2024 ScanServices: Open/Create key error 2
22:50:11:241 2024 ScanServices: Searching service gxvxcserv.sys
22:50:11:241 2024 ScanServices: Open/Create key error 2
22:50:11:241 2024 ScanServices: Searching service MSIVXserv.sys
22:50:11:241 2024 ScanServices: Open/Create key error 2
22:50:11:254 2024 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 82000000
22:50:11:259 2024 UnhookRegistry: Kernel local addr: 1490000
22:50:11:259 2024 UnhookRegistry: KeServiceDescriptorTable addr: 15C1B00
22:50:11:259 2024 UnhookRegistry: KiServiceTable addr: 15107B4
22:50:11:259 2024 UnhookRegistry: NtEnumerateKey service number (local): 85
22:50:11:259 2024 UnhookRegistry: NtEnumerateKey local addr: 15C7F06
22:50:11:264 2024 KLMD_OpenDevice: Trying to open KLMD device
22:50:11:264 2024 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
22:50:11:266 2024 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
22:50:11:266 2024 KLMD_ReadMem: Trying to ReadMemory 0x8207E735[0x4]
22:50:11:266 2024 UnhookRegistry: NtEnumerateKey service number (kernel): 85
22:50:11:266 2024 KLMD_ReadMem: Trying to ReadMemory 0x820809C8[0x4]
22:50:11:266 2024 UnhookRegistry: NtEnumerateKey real addr: 82137F06
22:50:11:266 2024 UnhookRegistry: NtEnumerateKey calc addr: 82137F06
22:50:11:266 2024 UnhookRegistry: No SDT hooks found on NtEnumerateKey
22:50:11:266 2024 KLMD_ReadMem: Trying to ReadMemory 0x82137F06[0xA]
22:50:11:266 2024 UnhookRegistry: No splicing found on NtEnumerateKey
22:50:11:329 2024
Scanning Kernel memory ...
22:50:11:329 2024 KLMD_OpenDevice: Trying to open KLMD device
22:50:11:329 2024 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
22:50:11:329 2024 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
22:50:11:329 2024 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85393F38
22:50:11:329 2024 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
22:50:11:329 2024 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 85393538
22:50:11:329 2024 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85393538
22:50:11:329 2024 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 84BE88A8
22:50:11:329 2024 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BE88A8
22:50:11:329 2024 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 84281BB0
22:50:11:329 2024 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84281BB0
22:50:11:329 2024 KLMD_ReadMem: Trying to ReadMemory 0x84281BB0[0x38]
22:50:11:329 2024 DetectCureTDL3: DRIVER_OBJECT addr: 85B3CA00
22:50:11:329 2024 KLMD_ReadMem: Trying to ReadMemory 0x85B3CA00[0xA8]
22:50:11:329 2024 KLMD_ReadMem: Trying to ReadMemory 0x84BE5028[0x38]
22:50:11:329 2024 KLMD_ReadMem: Trying to ReadMemory 0x84BF8830[0xA8]
22:50:11:329 2024 KLMD_ReadMem: Trying to ReadMemory 0x83E563B8[0x208]
22:50:11:329 2024 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:50:11:329 2024 DetectCureTDL3: IrpHandler (0) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (1) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (2) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (3) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (4) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (5) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (6) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (7) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (8) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (9) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (10) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (11) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (12) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (13) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (14) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (15) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (16) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (17) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (18) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (19) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (20) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (21) addr: 84C31618
22:50:11:329 2024 DetectCureTDL3: IrpHandler (22) addr: 84C31618
22:50:11:331 2024 DetectCureTDL3: IrpHandler (23) addr: 84C31618
22:50:11:331 2024 DetectCureTDL3: IrpHandler (24) addr: 84C31618
22:50:11:331 2024 DetectCureTDL3: IrpHandler (25) addr: 84C31618
22:50:11:331 2024 DetectCureTDL3: IrpHandler (26) addr: 84C31618
22:50:11:331 2024 DetectCureTDL3: All IRP handlers pointed to one addr: 84C31618
22:50:11:331 2024 KLMD_ReadMem: Trying to ReadMemory 0x84C31618[0x400]
22:50:11:331 2024 TDL3_IrpHookDetect: TDL3 is already cured
22:50:11:331 2024 KLMD_ReadMem: Trying to ReadMemory 0x84C314BF[0x400]
22:50:11:331 2024 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 0
22:50:11:331 2024 TDL3_FileDetect: Processing driver: atapi
22:50:11:331 2024 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\tsk_atapi.sys, C:\Windows\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
22:50:11:331 2024 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\tsk_atapi.sys
22:50:11:331 2024 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\tsk_atapi.sys
22:50:11:349 2024
Completed

Results:
22:50:11:349 2024 Infected objects in memory: 0
22:50:11:349 2024 Cured objects in memory: 0
22:50:11:349 2024 Infected objects on disk: 0
22:50:11:349 2024 Objects on disk cured on reboot: 0
22:50:11:351 2024 Objects on disk deleted on reboot: 0
22:50:11:351 2024 Registry nodes deleted on reboot: 0
22:50:11:351 2024

I did some clicking around online in FF and to my dismay the redirects are still there.

Since I don't have the first log I'll need for you to run GMER once again.

I'm getting good at running Gmer -- too bad I can't interpret the results:


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 23:49:41
Windows 6.0.6000
Running: nhih19fz.exe; Driver: C:\Users\Ian\AppData\Local\Temp\kfdcapoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8CDE679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8CDE6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8CDE674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8CDE67DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8CDE681F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8CDE6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8CDE6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8CDE67B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8CDE6847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8CDE6833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8CDE678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8CDE6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8CDE680B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8CDE67F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8CDE67C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8CDE6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 84C31618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----