Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot resolve search redirect - Clicker.ADUN


  • This topic is locked This topic is locked
27 replies to this topic

#1 ktaylor310

ktaylor310

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 04 December 2009 - 04:56 PM

My operating system is WindowsXP Pro. I use AVG 8.5 for virus scan and firewall, all definitions are up-to-date. Clicked on a website yesterday and firewall alerts started popping up "such and such is trying to establish a connection..." There were approximately three alerts and I blocked each attempt. I exited the website and ran a virus scan which found and supposedly healed 5 files associated with Trojan horse downloader.Generic9.TBJ and Trojan horse Clicker.ADUN. While I was running the scan several more firewall alerts started popping up, so changed the settings on my firewall to block all internet traffic. After I finished the scan, I went back on the internet but all searches on Google are being redirected to other sites and sometimes more then one window opens. I then ran Hijack This and deleted several suspicious items, but that didn't help. I restarted the computer in safemode and ran AVG scan again. This time it found and sent to the virus vault "c:\Documents and Settings\My Name\Local Settings \Temp\prun.tmp" (Trojan horse Clicker.ADUN moved to virus vault.). I restarted in normal mode and ran a complete AVG scan again (also a rootkit scan) and nothing was found. Also Spybot search & destroy finds nothing, but still my search results are being redirected.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:18 PM, on 12/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\KIM TAYLOR\Application Data\Mozilla\Profiles\default\zvbpepfd.slt\prefs.js)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe


I also ran a scan from gmer.net and saved the log file:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-04 14:22:56
Windows 5.1.2600 Service Pack 2
Running: leju4zl0.exe; Driver: C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\kwlirpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A925618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thank you for any help you can provide!
Kim

BC AdBot (Login to Remove)

 


#2 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 05 December 2009 - 12:01 AM

I just wanted to add that tonight my webshield has started throwing up the alert "Threat Detected. Trojan horse Dropper.generic.BHB. Access file infected c:/windows/system32/svchost.exe

Thank you.

#3 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:09:28 AM

Posted 18 December 2009 - 08:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#4 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 18 December 2009 - 10:43 AM

Hi, and thank you so much for helping. I know it will be worth the wait!

I'm not sure that DDS is running properly on my computer. The small box does pop-up, but then quickly disappears. At first it sounded as though a scan could be running in the background, but it has been half an hour and nothing has happened (computer running quietly) - no notepad pop-up. I finally checked the Task Manager and it does not appear that anything is running. Am I just being premature? I have to leave for a little while, but I'll leave the computer as is while I gone in hopes the scan just isn't done. I use AVG 8.5 and have disabled the resident shield as well as the web shied. Firewall is set on "block".

The only other thing I would like to add since my first notes is that I ran Malwarebytes which found and supposedly deleted Trojan horse Dropper.generic.BHB.

I have mostly blocked all internet traffic via AVG firewall since this started. The other day I had to receive my email, however, and when I enabled the firewall to allow traffic a dos screen popped up that read, "windows/temp/fvrx.tmp/svchost.exe"

Edited by ktaylor310, 18 December 2009 - 10:58 AM.


#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:28 AM

Posted 19 December 2009 - 12:10 PM

Hi ktaylor310,


Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please download the random ComboFix from Here to your desktop.

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.

This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


After that, please rerun Gmer and post the contents in your next reply.


In your next reply, please post back:

1.ComboFix log
2.MBAM log
3.Gmer log Thanks

#6 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 20 December 2009 - 09:49 PM

Thank you so much for your help!!



Combofix Log:

ComboFix 09-12-18.03 - Kim Taylor 12/20/2009 19:18:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2052 [GMT -7:00]
Running from: c:\documents and settings\Kim Taylor\Desktop\KittyFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\run.log
c:\windows\system32\Cache
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-18 15:37 . 2009-11-25 16:09 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-18 15:37 . 2009-11-25 16:09 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-18 15:37 . 2009-11-25 16:09 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 01:57 . 2009-03-03 21:38 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\WTablet
2009-12-21 01:57 . 2009-03-04 14:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-12-18 17:57 . 2005-07-22 16:53 -------- d-----w- c:\program files\SnagIt
2009-12-13 16:46 . 2001-08-23 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-09 22:39 . 2005-08-10 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-08 15:36 . 2005-07-18 23:09 -------- d-----w- c:\program files\Google
2009-12-05 04:52 . 2007-10-02 23:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-04 21:45 . 2009-11-03 17:52 -------- d-----w- c:\program files\Visual Color Picker 2
2009-12-04 21:44 . 2007-07-24 23:39 -------- d-----w- c:\program files\Better File Rename
2009-12-04 00:42 . 2008-10-09 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-15 15:10 . 2009-08-07 00:50 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-15 15:10 . 2009-06-26 19:54 38208 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-12 22:08 . 2009-10-23 21:21 565248 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
2007-03-12 16:38 . 2007-02-23 21:17 7521056 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-03-12 16:38 . 2007-02-23 21:17 178464 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 3330048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-18 2043160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 17:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"KodakCCS"=3 (0x3)
"gusvc"=3 (0x3)
"TabletService"=2 (0x2)
"iPod Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/9/2008 10:46 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/9/2008 10:46 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/9/2008 10:46 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/31/2009 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/31/2009 7:28 AM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [7/31/2009 7:28 AM 1370488]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/3/2009 2:37 PM 2749224]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67e57d78-4b83-11dd-b289-0016b69b4b0a}]
\Shell\AutoRun\command - j:\acrobat7.0\Reader\AcroRd32.exe begin.pdf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bdf2ac0-8bd7-11dd-b30d-0016b69b4b0a}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
Trusted Zone: istockphoto.com\secure
FF - ProfilePath - c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npmio.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Eye Candy 4000 - c:\progra~1\EYECAN~1\UNWISE.EXE
AddRemove-HijackThis - c:\documents and settings\All Users\Start Menu\Programs\System Tools\HijackThis.exe
AddRemove-MS Access to MySQL_is1 - c:\program files\BullZip\MS Access to MySQL\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 19:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A925618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Linksys Wireless-G PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba61faf9
PacketIndicateHandler -> NDIS.sys @ 0xba62ab21
SendHandler -> NDIS.sys @ 0xba61f938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-20 19:25:57
ComboFix-quarantined-files.txt 2009-12-21 02:25

Pre-Run: 117,303,939,072 bytes free
Post-Run: 117,332,070,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 6444CBC9D4BC483DF58D75224B37DB1D


Malware Bytes log:

Malwarebytes' Anti-Malware 1.42
Database version: 3399
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/20/2009 7:38:10 PM
mbam-log-2009-12-20 (19-38-10).txt

Scan type: Quick Scan
Objects scanned: 116749
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Gmer log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-20 19:39:31
Windows 5.1.2600 Service Pack 2
Running: leju4zl0.exe; Driver: C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\kwlirpow.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A925618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 21 December 2009 - 09:28 AM

Not sure if this info will be helpful, but wanted to add that I tried a Google search after running these tests and my results are still being redirected. Did a search on "credit card machine", chose a site I am familiar with but after clicking link was taken to another site and then a window popped up on top as well:

http://server2.mediajmp.com/surveys/cpv-in...roductdepot.net

http://www.theproductdepot.net/search-resu...it+card+machine

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:28 AM

Posted 21 December 2009 - 10:48 AM

Hi ktaylor310,




Step1

1.Go to this thread and Download TDSSKiller to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.Follow the instructions to type in "delete" when it asks you what to do when if something found.
5.When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2

Please delete KittyFix.exe on your desktop and go to the follwoing thread for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

After that, please rerun Gmer and post the contents in your next reply. Thanks


In your next reply, please post back


1.TDSSKiller txt
2.ComboFix log
3.Gmer log Thanks

#9 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 21 December 2009 - 12:49 PM

I ran TDDSSkiller and it found 2 infections (one was in atapi device). The dos screen said that the problems would be corrected on reboot. I choose "Y" to reboot, and everything pulled up fine, but there was no log file in the c:\ folder. I did a file search on my PC and it only turned up the .exe file.


ComboFix 09-12-20.08 - Kim Taylor 12/21/2009 10:26:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2062 [GMT -7:00]
Running from: c:\documents and settings\Kim Taylor\Desktop\ComboFix.exe
AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 17:19 . 2009-12-21 17:19 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-18 15:37 . 2009-11-25 16:09 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-18 15:37 . 2009-11-25 16:09 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-18 15:37 . 2009-11-25 16:09 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 18:32 . 2009-12-21 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 17:22 . 2009-03-03 21:38 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\WTablet
2009-12-21 17:22 . 2009-03-04 14:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-12-21 17:21 . 2001-08-23 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-21 17:19 . 2009-12-21 17:19 95360 ----a-w- c:\windows\system32\drivers\atapi.tsk
2009-12-18 17:57 . 2005-07-22 16:53 -------- d-----w- c:\program files\SnagIt
2009-12-09 22:39 . 2005-08-10 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-08 15:36 . 2005-07-18 23:09 -------- d-----w- c:\program files\Google
2009-12-05 04:52 . 2007-10-02 23:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-04 21:45 . 2009-11-03 17:52 -------- d-----w- c:\program files\Visual Color Picker 2
2009-12-04 21:44 . 2007-07-24 23:39 -------- d-----w- c:\program files\Better File Rename
2009-12-04 00:42 . 2008-10-09 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-15 15:10 . 2009-08-07 00:50 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-15 15:10 . 2009-06-26 19:54 38208 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-12 22:08 . 2009-10-23 21:21 565248 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
2007-03-12 16:38 . 2007-02-23 21:17 7521056 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-03-12 16:38 . 2007-02-23 21:17 178464 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2009-12-21 17:21 . 8EC9A448646B25D2FA4772779CF9410D . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-21 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[7] 2009-12-13 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2001-08-23 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-12-21_02.21.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 16:12 . 2009-12-21 17:26 82990 c:\windows\system32\perfc009.dat
- 2004-08-26 16:12 . 2009-12-18 19:48 82990 c:\windows\system32\perfc009.dat
+ 2004-08-26 16:12 . 2009-12-21 17:26 466516 c:\windows\system32\perfh009.dat
- 2004-08-26 16:12 . 2009-12-18 19:48 466516 c:\windows\system32\perfh009.dat
+ 2009-01-01 19:55 . 2009-12-21 17:22 219427 c:\windows\system32\inetsrv\MetaBase.bin
+ 2004-08-26 18:07 . 2009-12-21 02:59 147456 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 3330048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-18 2043160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 17:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"KodakCCS"=3 (0x3)
"gusvc"=3 (0x3)
"TabletService"=2 (0x2)
"iPod Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/9/2008 10:46 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/9/2008 10:46 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/9/2008 10:46 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/31/2009 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/31/2009 7:28 AM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [7/31/2009 7:28 AM 1370488]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/3/2009 2:37 PM 2749224]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*NewlyCreated* - KLMD_SYSTEM
*Deregistered* - KLMD_System
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
Trusted Zone: istockphoto.com\secure
FF - ProfilePath - c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 10:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"="system32\Drivers\atapi.tsk"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-21 10:36:25
ComboFix-quarantined-files.txt 2009-12-21 17:36
ComboFix2.txt 2009-12-21 02:26

Pre-Run: 117,334,441,984 bytes free
Post-Run: 117,299,167,232 bytes free

- - End Of File - - 06E48A4F04D202228EA678DAB949CC0F


GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-21 10:37:21
Windows 5.1.2600 Service Pack 2
Running: leju4zl0.exe; Driver: C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\kwlirpow.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


It appears that my wireless connection has been uninstalled so I cannot access the internet. I am responding from my laptop.

#10 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 21 December 2009 - 01:11 PM

The GMER log above was created when I clicked on the exe file. The next one is the log created after running a scan:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-21 18:14:48
Windows 5.1.2600 Service Pack 2
Running: leju4zl0.exe; Driver: C:\DOCUME~1\KIMTAY~1\LOCALS~1\Temp\kwlirpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


UPDATE: I rebooted and my wireless software does come up now, but still cannot connect to the Internet. I receive error "you are connected to the access point, but the Internet cannot be found". Ran ipconfig/release, ipconfig/flushdns, ipconfig/renew, and netsh winsock reset. On netsh winsock reset received error "An error occured while renewing interface wireless network connection 8: unable to contract your dhcp server request timed out.

Edited by ktaylor310, 21 December 2009 - 08:22 PM.


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:28 AM

Posted 21 December 2009 - 06:49 PM

Hi ktaylor310,



Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\$NtServicePackUninstall$\atapi.sys

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,61,00,74,00,61,00,70,00,69,00,2e,\
  00,73,00,79,00,73,00,00,00


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please restart your pc and check if the connection is back to normal. If not, please do the following:

Click Start>Run>Type CMD>A command prompt DOS window will open. Type/Paste ipconfig /flushdns and then press Enter to purge the DNS resolver cache.

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Open IE, select Tools > Internet Options. Select the Connections tab.
  • If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
  • In the "Proxy Server" area, uncheck the check mark next to Use a proxy server for ....
  • Click OK.
  • Click Privacy tab and press Sites button, click Remove all button if there are some urls out there.
  • Click Advanced tab and click on Reset button
  • In the Reset Internet Explorer Settings dialog box, click Reset to confirm.
After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.


In your next reply, please post back:

1.ComboFix log

Tell me if the connection problem is solved.

#12 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 21 December 2009 - 09:12 PM

ComboFix 09-12-20.08 - Kim Taylor 12/21/2009 18:51:00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.1973 [GMT -7:00]
Running from: c:\documents and settings\Kim Taylor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kim Taylor\Desktop\CFScript.txt
AV: AVG Anti-Virus plus Firewall *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-21 17:19 . 2009-12-21 17:19 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-18 15:37 . 2009-11-25 16:09 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-18 15:37 . 2009-11-25 16:09 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-18 15:37 . 2009-11-25 16:09 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 18:32 . 2009-12-21 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 18:32 . 2009-12-07 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-07 18:32 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 18:03 . 2009-03-03 21:38 -------- d-----w- c:\documents and settings\Kim Taylor\Application Data\WTablet
2009-12-21 18:03 . 2009-03-04 14:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-12-21 17:19 . 2009-12-21 17:19 95360 ----a-w- c:\windows\system32\drivers\atapi.tsk
2009-12-18 17:57 . 2005-07-22 16:53 -------- d-----w- c:\program files\SnagIt
2009-12-09 22:39 . 2005-08-10 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-12-08 15:36 . 2005-07-18 23:09 -------- d-----w- c:\program files\Google
2009-12-05 04:52 . 2007-10-02 23:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-04 21:45 . 2009-11-03 17:52 -------- d-----w- c:\program files\Visual Color Picker 2
2009-12-04 21:44 . 2007-07-24 23:39 -------- d-----w- c:\program files\Better File Rename
2009-12-04 00:42 . 2008-10-09 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-15 15:10 . 2009-08-07 00:50 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-15 15:10 . 2009-06-26 19:54 38208 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-12 22:08 . 2009-10-23 21:21 565248 ----a-w- c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
2007-03-12 16:38 . 2007-02-23 21:17 7521056 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-03-12 16:38 . 2007-02-23 21:17 178464 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_02.21.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-26 16:12 . 2009-12-18 19:48 82990 c:\windows\system32\perfc009.dat
+ 2004-08-26 16:12 . 2009-12-21 17:45 82990 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2009-12-13 16:46 95360 c:\windows\system32\dllcache\atapi.sys
+ 2001-08-23 12:00 . 2004-08-04 05:59 95360 c:\windows\system32\dllcache\atapi.sys
+ 2005-07-18 20:47 . 2004-08-04 05:59 95360 c:\windows\$NtServicePackUninstall$\atapi.sys
+ 2004-08-26 16:12 . 2009-12-21 17:45 466516 c:\windows\system32\perfh009.dat
- 2004-08-26 16:12 . 2009-12-18 19:48 466516 c:\windows\system32\perfh009.dat
+ 2009-01-01 19:55 . 2009-12-21 18:03 219426 c:\windows\system32\inetsrv\MetaBase.bin
- 2009-01-01 19:55 . 2009-12-21 01:57 219426 c:\windows\system32\inetsrv\MetaBase.bin
+ 2004-08-26 18:07 . 2009-12-21 02:59 147456 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 3330048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 14:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-18 15:36 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-11 17:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"KodakCCS"=3 (0x3)
"gusvc"=3 (0x3)
"TabletService"=2 (0x2)
"iPod Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/9/2008 10:46 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/9/2008 10:46 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/9/2008 10:46 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/31/2009 7:28 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/31/2009 7:28 AM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [7/31/2009 7:28 AM 1370488]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/3/2009 2:37 PM 2749224]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/9/2008 10:45 AM 29208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - kwlirpow
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
Trusted Zone: istockphoto.com\secure
FF - ProfilePath - c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Kim Taylor\Application Data\Mozilla\Firefox\Profiles\gk6a0zhx.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npmio.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 18:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"="s\00y\00s\00t\00e\00m\003\002\00\\00D\00R\00I\00V\00E\00R\00S\00\\00a\00t\00a\00p\00i\00."
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-21 18:58:23
ComboFix-quarantined-files.txt 2009-12-22 01:58
ComboFix2.txt 2009-12-21 17:36
ComboFix3.txt 2009-12-21 02:26

Pre-Run: 117,335,040,000 bytes free
Post-Run: 117,294,223,360 bytes free

- - End Of File - - 78DF11B03622142447DE4FB50DA71BDE


Big problems w/the pc now. After running combofix I rebooted per your instruction. Start up screen pulls up that reads "We apologize for the inconvenience, but windows did not start successfully...." Moves to next screen w/Windows XP Pro defaulted, next screen defaults to "start normally", then it loops back to the "We apologize screens" and continues to loop from there through the three screens. I can't get back into Windows.

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:28 AM

Posted 21 December 2009 - 09:24 PM

Hi ktaylor310,


Step1


1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup


6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Let me know how things went.

#14 ktaylor310

ktaylor310
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 21 December 2009 - 09:33 PM

1 = H:\MiniNT
2 = C:\Windows

Should I choose 2?

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:28 AM

Posted 21 December 2009 - 09:35 PM

Should I choose 2?

Yes, please proceed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users