Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have an infection


  • Please log in to reply
No replies to this topic

#1 janim4

janim4

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 11 December 2009 - 10:55 AM

HI my name is Mike and I seem to have a similal problem to Baylor h**p://www.bleepingcomputer.com/forums/topic274514.html.

When I open google in both Firefox 3.5.5 (default) and IE8 I often see a new tab open and a url to some ad site or suchlike.

When I click on a returned link from a google search I sometimes get redirected to a site like h**p://rle822x.cn/gKV2XA9P6I5jZVS276c8fc0b6b17ea27769abe23c931d2aa25c the h**p://rle822x.cn/ is always common this gets blocked by my Spyware doctor.

I have run Malwarebytes' anti-malware with noting detected.

Spyware doctor had returned and quarantined Trojan.generic, trojan.FakeAlery and Backdoor.Delf.DIP.

I ran RootRepeal, Win32Diag and the command DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt.

Results follow:

RootRepeal
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 15:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: jsyl.sys
Image Path: jsyl.sys
Address: 0xF6148000 Size: 54016 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xEE7FC000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC52E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\mickey\application data\mozilla\firefox\profiles\3udupwra.default\sessionstore.js
Status: Size mismatch (API: 45550, Raw: 45251)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12282.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12283.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12284.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12285.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12286.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12287.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS12288.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS122D8.log
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS122D9.log
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS122DA.log
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS122DB.log
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS122DC.log
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\mickey\local settings\application data\mozilla\firefox\profiles\3udupwra.default\cache\_cache_001_
Status: Size mismatch (API: 1485442, Raw: 1484163)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf5f6ad72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf5f4b9a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf5f4bb98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf5f6b568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf5f6b820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf5f69a80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf5f6bc8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf5f6b036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf5f4b656

==EOF==

Win32kDiag:

Running from: C:\Documents and Settings\Mickey\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Mickey\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...


Finished!

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt:

Volume in drive C is winxp
Volume Serial Number is F02C-73D0

Directory of C:\WINDOWS\system32

14/04/2008 04:42 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 04:42 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 04:41 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 04:42 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 04:42 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 04:41 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
6 File(s) 1,289,216 bytes
0 Dir(s) 16,637,280,256 bytes free


Please advice to next steps.

Thanking you in advance.

Mike

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users