Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect from Google search result


  • This topic is locked This topic is locked
30 replies to this topic

#1 mossman_72

mossman_72

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 10 December 2009 - 03:38 AM

I noticed other posts that are describing similar issues and I was hoping someone could help me out. I have a Dell XPS maching running Windows XP Professional Version 2002 SP 3.

A description of my problem:

I search Google on any topic. When I click on a search result that Google returns I get redirected to random add pages not associated with the site I originally selected. If I attempt the link 3 to 4 times I eventually can get to the link posted by the Google search result. This behavior only appears to happen with Google. Yahoo search engine does not seem to be affected.

I have attempted scans with AdAware, Malwarebytes Anti-Malware and the Anti-malware that comes with my Trend Micro virus protection program with no luck at all.

Any help would be greatly appreciated. My DDS.txt log file:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 2:01:21.23 on Thu 12/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1175 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\DNA\btdna.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\clclean.0001
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061018
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Creative Detector U] "c:\program files\creative\mediasource5\CTDetctu.exe" /R
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [<NO NAME>]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ihost.com\amex.iers
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://mitelya.mitel.com/joinie.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859B0} - hxxp://mitelya.mitel.com/join_a.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.0.10 HP000D9D002529

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\8s4mgwyq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-9 64160]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2006-10-20 14976]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-15 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-11-9 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-11-16 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-11-9 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-11-9 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-30 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2007-1-27 91392]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\michael\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2008-8-26 32768]

=============== Created Last 30 ================

2009-12-10 06:18:38 0 d-----w- C:\RootkitNO
2009-12-10 05:49:53 2 --shatr- c:\windows\winstart.bat
2009-12-10 05:49:40 0 d-----w- c:\program files\UnHackMe
2009-12-10 04:32:57 0 d-----w- c:\program files\TrendMicro
2009-12-09 19:54:30 0 d-----w- c:\docume~1\michael\applic~1\Malwarebytes
2009-12-09 19:54:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:54:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-09 19:54:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 07:28:00 0 d-----w- c:\program files\common files\TiVo Shared
2009-12-05 07:27:00 0 d-----w- c:\program files\common files\SureThing Shared
2009-12-05 07:26:54 94263 ----a-w- c:\windows\DLA.EXE
2009-12-05 07:26:54 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS
2009-12-05 07:26:54 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL
2009-12-05 07:26:54 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS
2009-12-05 07:26:54 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS
2009-12-05 07:26:54 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS
2009-12-05 07:06:44 0 d-----w- c:\program files\MediaCoder

==================== Find3M ====================

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-23 07:06:54 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-07-18 01:08:33 88 --sh--r- c:\windows\system32\E190B93F84.sys
2009-07-18 01:08:34 3350 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 2:02:38.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 15 December 2009 - 11:28 PM

Hello mossman_72,

If you still require assistance, please run a new scan with dds.scr and post the contents of the fresh dds.txt in your next reply.

I'd also like you to run another tool. Download gmer from here and save it to your desktop.

Double click to run it. If asked to allow a driver to load, please consent.
  • An initial scan will automatically begin.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark.txt in your next reply

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 17 December 2009 - 01:06 AM

Hello Ried,

Many thanks for helping me with my computer problem. I ran the dds and gmer scans as you requested. I have attached both to my reply.


My updated dds.txt log as you requested:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 22:09:10.67 on Wed 12/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -6:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\clclean.0001
C:\Program Files\DNA\btdna.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061018
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Creative Detector U] "c:\program files\creative\mediasource5\CTDetctu.exe" /R
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [<NO NAME>]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ihost.com\amex.iers
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://mitelya.mitel.com/joinie.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859B0} - hxxp://mitelya.mitel.com/join_a.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.0.10 HP000D9D002529

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\8s4mgwyq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-9 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2006-10-20 14976]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-15 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-11-9 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-11-16 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-11-9 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-11-9 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-30 133104]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2007-1-27 91392]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\michael\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2008-8-26 32768]

=============== Created Last 30 ================

2009-12-10 06:18:38 0 d-----w- C:\RootkitNO
2009-12-10 05:49:53 2 --shatr- c:\windows\winstart.bat
2009-12-10 05:49:40 0 d-----w- c:\program files\UnHackMe
2009-12-10 04:32:57 0 d-----w- c:\program files\TrendMicro
2009-12-09 19:54:30 0 d-----w- c:\docume~1\michael\applic~1\Malwarebytes
2009-12-09 19:54:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:54:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-09 19:54:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 07:28:00 0 d-----w- c:\program files\common files\TiVo Shared
2009-12-05 07:27:00 0 d-----w- c:\program files\common files\SureThing Shared
2009-12-05 07:26:54 94263 ----a-w- c:\windows\DLA.EXE
2009-12-05 07:26:54 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS
2009-12-05 07:26:54 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL
2009-12-05 07:26:54 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS
2009-12-05 07:26:54 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS
2009-12-05 07:26:54 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS
2009-12-05 07:06:44 0 d-----w- c:\program files\MediaCoder

==================== Find3M ====================

2009-12-16 22:50:37 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-23 07:06:54 15688 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 22:10:32.81 ===============

Attached Files

  • Attached File  ark.txt   2.09KB   5 downloads


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 17 December 2009 - 01:14 AM

You're welcome, mossman_72.

Download ComboFix (KittyFix.exe) from here and save it to your desktop.

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 17 December 2009 - 02:10 AM

Ried,

I ran the ComboFix (KittyFix.exe) and have attached the Combofix.txt log to this post.

Thanks

ComboFix 09-12-16.05 - Michael 12/17/2009 0:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1316 [GMT -6:00]
Running from: c:\documents and settings\Michael\My Documents\Downloads\KittyFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\setup.exe
c:\windows\EventSystem.log
c:\windows\system32\Data

c:\windows\system32\drivers\iastor.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 06:24 . 2009-09-01 17:26 558344 ----a-w- c:\documents and settings\All Users\Application Data\Trend Micro\OE_OEM\oe_engine\01\tmaseng.dll
2009-12-17 02:38 . 2009-12-17 02:38 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Malwarebytes
2009-12-10 06:18 . 2009-12-10 06:18 -------- d-----w- C:\RootkitNO
2009-12-10 05:49 . 2009-12-10 05:49 2 --shatr- c:\windows\winstart.bat
2009-12-10 05:49 . 2009-12-10 06:29 -------- d-----w- c:\program files\UnHackMe
2009-12-10 04:32 . 2009-12-10 04:32 388096 ------r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-10 04:32 . 2009-12-10 04:32 -------- d-----w- c:\program files\TrendMicro
2009-12-09 22:55 . 2009-12-09 22:55 -------- d-----w- c:\documents and settings\Jennifer\Local Settings\Application Data\Smilebox
2009-12-09 22:54 . 2009-12-10 17:53 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Smilebox
2009-12-09 22:54 . 2009-12-09 22:54 57943 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\uninstall.exe
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-12-09 19:54 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 19:54 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 19:00 . 2009-12-09 20:05 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\ndyoho
2009-12-05 07:28 . 2009-12-05 07:28 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-12-05 07:27 . 2009-12-05 07:27 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-12-05 07:26 . 2005-11-18 18:02 5660 ----a-w- c:\windows\system32\drivers\DLACDBHM.SYS
2009-12-05 07:26 . 2005-11-18 18:02 22684 ----a-w- c:\windows\system32\drivers\DLARTL_N.SYS
2009-12-05 07:26 . 2005-11-07 11:20 94263 ----a-w- c:\windows\DLA.EXE
2009-12-05 07:26 . 2005-11-07 11:20 61500 ----a-w- c:\windows\system32\DLAAPI_W.DLL
2009-12-05 07:26 . 2005-09-12 09:30 89264 ----a-w- c:\windows\system32\drivers\DRVMCDB.SYS
2009-12-05 07:26 . 2005-08-12 11:20 40544 ----a-w- c:\windows\system32\drivers\DRVNDDM.SYS
2009-12-05 07:06 . 2009-12-10 08:43 -------- d-----w- c:\program files\MediaCoder
2009-12-05 06:48 . 2008-05-02 16:41 3493888 ---h--w- c:\documents and settings\Michael\Application Data\U3\temp\Launchpad Removal.exe
2009-12-05 00:22 . 2009-12-07 16:29 7631232 ------w- c:\documents and settings\Jennifer\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
2009-12-04 16:49 . 2009-12-04 16:49 4846 ------r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{0DEE0EEE-F3C5-4B53-BB55-E55A655F7230}\ARPPRODUCTICON.exe
2009-12-04 16:49 . 2009-12-04 16:49 45056 ------r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{0DEE0EEE-F3C5-4B53-BB55-E55A655F7230}\MitelShortcut_075276AE41964DD798B949ABEC5FEEEC.exe
2009-12-04 16:49 . 2009-12-04 16:49 45056 ------r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{0DEE0EEE-F3C5-4B53-BB55-E55A655F7230}\InterTelShortcut_075276AE41964DD798B949ABEC5FEEEC.exe
2009-11-29 09:23 . 2009-11-29 09:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 06:43 . 2009-02-13 06:28 -------- d-----w- c:\documents and settings\Michael\Application Data\DNA
2009-12-17 06:23 . 2009-02-13 06:28 -------- d-----w- c:\program files\DNA
2009-12-16 22:51 . 2006-10-21 05:13 73104 ----a-w- c:\documents and settings\Jennifer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 22:50 . 2006-11-01 19:39 88 --sh--r- c:\windows\system32\E190B93F84.sys
2009-12-16 22:50 . 2006-11-01 19:39 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-16 12:34 . 2008-05-10 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-10 07:19 . 2007-10-14 16:30 -------- d-----w- c:\documents and settings\Michael\Application Data\U3
2009-12-05 07:33 . 2006-10-21 03:40 73104 ------w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-05 07:27 . 2006-10-18 21:10 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-05 07:27 . 2006-10-18 21:18 -------- d-----w- c:\program files\Roxio
2009-11-30 08:05 . 2009-09-23 07:06 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 18:20 . 2006-11-16 03:07 -------- d-----w- c:\documents and settings\Michael\Application Data\Apple Computer
2009-11-16 08:21 . 2009-11-16 08:21 205448 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxDvd.exe
2009-11-16 08:21 . 2009-11-16 10:12 373384 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxStarter.exe
2009-11-16 08:21 . 2009-11-16 09:17 168584 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxBrowserEngine.dll
2009-11-16 08:21 . 2009-11-16 08:21 266888 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxTray.exe
2009-11-16 08:12 . 2009-11-16 08:12 1581704 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxClient.exe
2009-11-16 07:17 . 2009-11-16 07:17 340616 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxDvdEngine.dll
2009-11-16 07:17 . 2009-11-16 07:17 123528 ------w- c:\documents and settings\Jennifer\Application Data\Smilebox\SmileboxUpdater.exe
2009-10-31 01:03 . 2009-10-31 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-31 01:03 . 2008-11-08 21:09 -------- d-----w- c:\program files\iTunes
2009-10-31 01:03 . 2009-10-31 01:03 -------- d-----w- c:\program files\iPod
2009-10-31 01:03 . 2008-09-14 03:01 -------- d-----w- c:\program files\Common Files\Apple
2009-10-31 01:02 . 2009-10-31 01:02 -------- d-----w- c:\program files\Bonjour
2009-10-31 01:02 . 2008-09-14 03:02 -------- d-----w- c:\program files\QuickTime
2009-10-31 00:56 . 2009-10-31 00:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-31 00:13 . 2006-10-18 21:19 -------- d-----w- c:\program files\Google
2009-10-30 23:54 . 2008-11-26 23:20 -------- d-----w- c:\program files\Virtual Earth 3D
2009-10-29 07:46 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-11 22:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-19 07:05 . 2009-09-23 07:05 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-13 10:30 . 2004-08-11 22:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-11 22:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-23 07:05 . 2009-09-23 07:05 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-09-23 07:05 . 2009-09-23 07:05 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-09-23 07:05 . 2009-09-23 07:05 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-23 07:05 . 2009-09-23 07:05 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-09-23 07:05 . 2009-09-23 07:05 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector U"="c:\program files\Creative\MediaSource5\CTDetctu.exe" [2005-12-27 110592]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-15 323392]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-4-27 221247]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/9/2009 1:05 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [10/20/2006 10:51 PM 14976]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 7:08 PM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 4:03 PM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 2:27 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 4:04 PM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 4:03 PM 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2009 6:13 PM 133104]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [1/27/2007 7:29 PM 91392]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Michael\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [8/26/2008 6:14 PM 32768]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ihost.com\amex.iers
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://mitelya.mitel.com/joinie.cab
DPF: {5C86F808-EDD2-4E5D-9C4F-E0D1ADA859B0} - hxxp://mitelya.mitel.com/join_a.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\8s4mgwyq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-17 01:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A37850C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\iaStor -> iastor.sys @ 0xb9e74f80
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d68bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d75a21
SendHandler -> NDIS.sys @ 0xb9d5387b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-17 01:06:22
ComboFix-quarantined-files.txt 2009-12-17 07:06

Pre-Run: 435,418,542,080 bytes free
Post-Run: 436,029,595,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ECE000F0606A99C8017FA0E609C74682

Attached Files


Edited by Ried, 17 December 2009 - 10:53 PM.


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 17 December 2009 - 11:04 PM

Hello mossman_72.

The file is still infected and we need to find a replacement. Download SystemLook from one of the links below and save it to your desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    iastor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 17 December 2009 - 11:38 PM

Ried,

I followed your instructions and posted the SystemLook.txt file to this post.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:32 on 17/12/2009 by Michael (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\drivers\storage\onboard\iastor.sys ------ 246784 bytes [20:51 18/10/2006] [09:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\i386\iaStor.sys ------ 246784 bytes [05:21 21/10/2006] [11:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys ------ 484864 bytes [21:09 18/10/2006] [12:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys ------ 246784 bytes [21:09 18/10/2006] [11:59 06/07/2006] 019CF5F31C67030841233C545A0E217A
C:\WINDOWS\system32\drivers\iaStor.sys ------ 246784 bytes [20:51 18/10/2006] [11:59 06/07/2006] 3FC6A7CD55BEC429C49F699C39B7E7C4
C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys ------ 246784 bytes [21:09 18/10/2006] [09:59 06/07/2006] 019CF5F31C67030841233C545A0E217A

-=End Of File=-

Attached Files


Edited by Ried, 17 December 2009 - 11:39 PM.


#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 17 December 2009 - 11:50 PM

Thank you. : )

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to the desktop of a nearby computer for reference as you will not have any browsers open while you are carrying out portions of these instructions.

We will need to use the Windows Recovery Console which ComboFix installed, and is available as a boot option when the machine starts. To start the Recovery Console:

1. Reboot your computer and as Windows starts it will present you with your startup options for exactly two seconds - you'll have to be quick - which in your case will be Microsoft Windows XP Professional and Microsoft Windows Recovery Console

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. You should now be presented with a C:\Windows> prompt

At that prompt, type in the following bolded text:

cd system32\drivers

Press Enter (you should now be at C:\windows\system32\drivers> prompt)

ren iastor.sys iastor.old

Press Enter - If you receive a message similar to 'invalid parameter or bad command, ensure you have a space between ren and iastor.sys and another space between iastor.sys and iastor.old


Next, type in the following bolded text:

C:\drivers\storage\onboard\iastor.sys c:\windows\system32\drivers\iastor.sys

Press Enter

You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

If you did not see '1 file copied', leave it as it is and contact me from another computer

If you did see '1 file copied', type in exit, press Enter, and the system will reboot.


=========================

Once it has completed booting up, open Notepad and copy/paste the contents in the quote box below, into Notepad.

@echo off
@mbr -t
@start mbr.log

Save this as look.bat Choose to "Save type as - All Files"

It should look like this:Posted Image


Double click on look.bat and allow it to run, then please post the contents of the log it produces. *It would save me some time if you'd please copy/paste the report directly into the reply box unless otherwise requested. :(

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 December 2009 - 12:11 AM

Ried,

Thanks for the response. I have attempted to start the service recovery console three times during boot up however, when the recovery console attempts to start I get the Windows blue screen that displays "A problem has been detected and windows has been shut down to prevent damage to your computer. Any ideas on why the recovery console will not start?

The computer boots fine in normal mode.

Thanks

#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 18 December 2009 - 12:14 AM

It's likely being caused by the hijacked hard disk controller. Do you have the Windows Install disc?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 December 2009 - 12:23 AM

Ried,

I have the Dell branded Windows XP SP2 Re-installation CD. Will this work?

Thanks

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 18 December 2009 - 12:49 AM

Ah, forgive me. I saw HP entries in your log and forgot this was a Dell machine. What you need to do is get into your BIOS (usually tapping F1 upon boot). See Access/Enter Motherboard BIOS for a list of manufacturers and the keyboard commands.

Find the SATA Menu and change it to Legacy mode (or ATA mode), or just disable AHCI. (in AHCI menu)

Try again to load the Recovery Console.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#13 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 December 2009 - 01:27 AM

Ried,

No problem at all. The only BIOS setting I see concerning the RAID is Auto Detect/ATA or RAID - current setting is RAID. I am guessing this is the place to disable the RAID? There is not AHCI menu in the BIOS.

Thanks

#14 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 18 December 2009 - 01:34 AM

Do you currently have a RAID array setup? If not, then yes, go ahead and disable RAID. Do NOT do that if you have a RAID array.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#15 mossman_72

mossman_72
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 December 2009 - 01:40 AM

Ried,

Yes, I have a RAID array set up-it came that way from the factory. Thanks for the warning - I did think if I broke the RAID I would be re-installing... Any other possible solutions to get Service Console up and running?

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users