Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect / computer freezing


  • This topic is locked This topic is locked
8 replies to this topic

#1 benben2086

benben2086

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 07 January 2010 - 04:58 PM

I am having browser redirect problems earlier, both with google searches, and random redirects. I ran Malware Bytes' Anti-Malware and Super Anti-spyware, which removed some sort of trojan, but the redirects still come and go. Even if redirects are gone, when I open my firefox for more than several minutes, my computer will freeze up, and I'll have to do a hard reboot.

If I don't open my browser, my only problem is that the computer runs noticeably slower.

Please help, thank you!

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ben at 15:10:59.01 on Wed 01/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.324 [GMT -8:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\li2465av.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-22 207792]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-17 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-19 185640]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-22 112592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-29 19:17:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-29 19:17:04 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-29 19:17:04 0 d-----w- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-12-23 02:51:07 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-23 02:51:06 882 ----a-w- c:\windows\RegSDImport.xml
2009-12-23 02:51:06 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-23 02:51:06 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-23 02:51:06 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-23 02:51:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-23 02:51:06 131 ----a-w- c:\windows\IDB.zip
2009-12-23 02:51:06 1152444 ----a-w- c:\windows\UDB.zip
2009-12-23 02:49:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-23 02:49:50 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-23 02:49:44 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-23 02:49:44 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-23 02:49:44 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-23 02:49:44 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-23 02:49:35 0 d-----w- c:\program files\common files\PC Tools
2009-12-23 02:49:34 0 d-----w- c:\program files\Spyware Doctor
2009-12-22 19:56:19 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-12-22 19:56:19 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-12-22 19:56:19 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-22 17:56:12 0 d-----w- c:\docume~1\ben\applic~1\Malwarebytes
2009-12-22 17:55:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 17:55:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 17:55:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 17:55:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 17:21:52 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-18 23:22:10 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 23:12:06 0 d-----w- c:\program files\Trend Micro
2009-12-18 22:46:29 0 d-----w- c:\docume~1\ben\applic~1\AVG8

==================== Find3M ====================

2009-11-24 22:15:20 70984 ----a-w- c:\documents and settings\ben\g2mdlhlpx.exe
2009-11-16 17:06:48 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 17:06:44 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 17:03:36 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 16:56:12 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 15:11:17.64 ===============


Here is the root repeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/06 15:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA596000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA90F1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\windows\temp\htt11b.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85ce28a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85ce1cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85ce20d0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85ce26d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85ce24f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85ce1ee0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85ce2310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x858f2540]
Process: System Address: 0x85ce0930 Size: 1000

Object: Hidden Code [Driver: PCTCore, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85fa2178 Size: 31

==EOF==

BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:20 AM

Posted 14 January 2010 - 11:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 benben2086

benben2086
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 15 January 2010 - 04:23 PM

Thanks for your response.

Contents of DDR scan as follows:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ben at 13:14:00.67 on Fri 01/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.448 [GMT -8:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\li2465av.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-22 207792]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-17 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-19 185640]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-22 112592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-29 19:17:13 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-29 19:17:04 0 d-----w- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-12-23 02:51:07 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-23 02:51:06 882 ----a-w- c:\windows\RegSDImport.xml
2009-12-23 02:51:06 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-23 02:51:06 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-23 02:51:06 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-23 02:51:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-23 02:51:06 131 ----a-w- c:\windows\IDB.zip
2009-12-23 02:51:06 1152444 ----a-w- c:\windows\UDB.zip
2009-12-23 02:49:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-23 02:49:50 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-23 02:49:44 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-23 02:49:44 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-23 02:49:44 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-23 02:49:44 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-23 02:49:35 0 d-----w- c:\program files\common files\PC Tools
2009-12-23 02:49:34 0 d-----w- c:\program files\Spyware Doctor
2009-12-22 19:56:19 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-12-22 19:56:19 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-12-22 19:56:19 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-22 17:56:12 0 d-----w- c:\docume~1\ben\applic~1\Malwarebytes
2009-12-22 17:55:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 17:55:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 17:55:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 17:55:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 17:21:52 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-18 23:22:10 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 23:12:06 0 d-----w- c:\program files\Trend Micro
2009-12-18 22:46:29 0 d-----w- c:\docume~1\ben\applic~1\AVG8

==================== Find3M ====================

2009-11-24 22:15:20 70984 ----a-w- c:\documents and settings\ben\g2mdlhlpx.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 13:14:19.21 ===============

Attach.zip has been attached to this post.

Ben

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 16 January 2010 - 10:31 AM

Hi benben2086,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

1.Go to this thread and Download TDSSKiller.zip to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.If TDSSKiller alerts you that the system needs to reboot, please consent.
5.When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


Step3

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



In your next reply, please post back:


1.TDSSKiller log
2.ComboFix log
3.Gmer log Thanks


#5 benben2086

benben2086
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 21 January 2010 - 04:12 PM

Hi there sundavis,

Please see below logs:

TDS Killer Log:

14:25:36:468 2228 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
14:25:36:468 2228 ================================================================================
14:25:36:468 2228 SystemInfo:

14:25:36:468 2228 OS Version: 5.1.2600 ServicePack: 3.0
14:25:36:468 2228 Product type: Workstation
14:25:36:468 2228 ComputerName: USER-01C05730DF
14:25:36:468 2228 UserName: Ben
14:25:36:468 2228 Windows directory: C:\WINDOWS
14:25:36:468 2228 Processor architecture: Intel x86
14:25:36:468 2228 Number of processors: 2
14:25:36:468 2228 Page size: 0x1000
14:25:36:468 2228 Boot type: Normal boot
14:25:36:468 2228 ================================================================================
14:25:36:468 2228 UnloadDriverW: NtUnloadDriver error 2
14:25:36:468 2228 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:25:36:468 2228 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:25:36:562 2228 UtilityInit: KLMD drop and load success
14:25:36:562 2228 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
14:25:36:562 2228 UtilityInit: KLMD open success
14:25:36:562 2228 UtilityInit: Initialize success
14:25:36:562 2228
14:25:36:562 2228 Scanning Services ...
14:25:36:562 2228 CreateRegParser: Registry parser init started
14:25:36:562 2228 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
14:25:36:562 2228 CreateRegParser: DisableWow64Redirection error
14:25:36:562 2228 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:25:36:562 2228 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
14:25:36:562 2228 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:25:36:562 2228 wfopen_ex: Trying to KLMD file open
14:25:36:562 2228 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
14:25:36:562 2228 wfopen_ex: File opened ok (Flags 2)
14:25:36:562 2228 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384D90
14:25:36:562 2228 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:25:36:562 2228 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
14:25:36:562 2228 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:25:36:562 2228 wfopen_ex: Trying to KLMD file open
14:25:36:562 2228 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
14:25:36:562 2228 wfopen_ex: File opened ok (Flags 2)
14:25:36:562 2228 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384C80
14:25:36:562 2228 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
14:25:36:562 2228 CreateRegParser: EnableWow64Redirection error
14:25:36:562 2228 CreateRegParser: RegParser init completed
14:25:36:906 2228 GetAdvancedServicesInfo: Raw services enum returned 321 services
14:25:36:906 2228 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:25:36:921 2228 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:25:36:921 2228
14:25:36:921 2228 Scanning Kernel memory ...
14:25:36:921 2228 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
14:25:36:921 2228 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8658CA08
14:25:36:921 2228 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
14:25:36:921 2228
14:25:36:921 2228 DetectCureTDL3: DEVICE_OBJECT: 86556C68
14:25:36:921 2228 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86556C68
14:25:36:921 2228 KLMD_ReadMem: Trying to ReadMemory 0x86556C68[0x38]
14:25:36:921 2228 DetectCureTDL3: DRIVER_OBJECT: 8658CA08
14:25:36:921 2228 KLMD_ReadMem: Trying to ReadMemory 0x8658CA08[0xA8]
14:25:36:921 2228 KLMD_ReadMem: Trying to ReadMemory 0xE1467868[0x18]
14:25:36:921 2228 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
14:25:36:921 2228 DetectCureTDL3: IrpHandler (0) addr: F7604BB0
14:25:36:921 2228 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (2) addr: F7604BB0
14:25:36:921 2228 DetectCureTDL3: IrpHandler (3) addr: F75FED1F
14:25:36:921 2228 DetectCureTDL3: IrpHandler (4) addr: F75FED1F
14:25:36:921 2228 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (9) addr: F75FF2E2
14:25:36:921 2228 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (14) addr: F75FF3BB
14:25:36:921 2228 DetectCureTDL3: IrpHandler (15) addr: F7602F28
14:25:36:921 2228 DetectCureTDL3: IrpHandler (16) addr: F75FF2E2
14:25:36:921 2228 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (22) addr: F7600C82
14:25:36:921 2228 DetectCureTDL3: IrpHandler (23) addr: F760599E
14:25:36:921 2228 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:25:36:921 2228 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:25:36:921 2228 TDL3_FileDetect: Processing driver: Disk
14:25:36:921 2228 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
14:25:36:921 2228 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
14:25:36:937 2228 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:25:36:937 2228
14:25:36:937 2228 DetectCureTDL3: DEVICE_OBJECT: 8652FAB8
14:25:36:937 2228 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8652FAB8
14:25:36:937 2228 DetectCureTDL3: DEVICE_OBJECT: 8655B9D0
14:25:36:937 2228 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8655B9D0
14:25:36:937 2228 DetectCureTDL3: DEVICE_OBJECT: 865A4030
14:25:36:937 2228 KLMD_GetLowerDeviceObject: Trying to get lower device object for 865A4030
14:25:36:937 2228 KLMD_ReadMem: Trying to ReadMemory 0x865A4030[0x38]
14:25:36:937 2228 DetectCureTDL3: DRIVER_OBJECT: 8655B308
14:25:36:937 2228 KLMD_ReadMem: Trying to ReadMemory 0x8655B308[0xA8]
14:25:36:937 2228 KLMD_ReadMem: Trying to ReadMemory 0xE1483AF8[0x1A]
14:25:36:937 2228 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
14:25:36:937 2228 DetectCureTDL3: IrpHandler (0) addr: F740B6F2
14:25:36:937 2228 DetectCureTDL3: IrpHandler (1) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (2) addr: F740B6F2
14:25:36:937 2228 DetectCureTDL3: IrpHandler (3) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (4) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (5) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (6) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (7) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (8) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (9) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (10) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (11) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (12) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (13) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (14) addr: F740B712
14:25:36:937 2228 DetectCureTDL3: IrpHandler (15) addr: F7407852
14:25:36:937 2228 DetectCureTDL3: IrpHandler (16) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (17) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (18) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (19) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (20) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (21) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (22) addr: F740B73C
14:25:36:937 2228 DetectCureTDL3: IrpHandler (23) addr: F7412336
14:25:36:937 2228 DetectCureTDL3: IrpHandler (24) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (25) addr: 804F4562
14:25:36:937 2228 DetectCureTDL3: IrpHandler (26) addr: 804F4562
14:25:36:937 2228 KLMD_ReadMem: Trying to ReadMemory 0xF7408864[0x400]
14:25:36:937 2228 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
14:25:36:937 2228 TDL3_FileDetect: Processing driver: atapi
14:25:36:937 2228 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
14:25:36:937 2228 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
14:25:36:953 2228 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
14:25:36:953 2228
14:25:36:953 2228 Completed
14:25:36:953 2228
14:25:36:953 2228 Results:
14:25:36:953 2228 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:25:36:953 2228 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:25:36:953 2228 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:25:36:953 2228
14:25:36:953 2228 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:25:36:953 2228 UtilityDeinit: KLMD(ARK) unloaded successfully


Combofix log:

ComboFix 10-01-19.03 - Ben 01/19/2010 15:18:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.694 [GMT -8:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_004582_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-05 22:38 . 2010-01-05 22:38 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\Opera
2010-01-05 22:38 . 2010-01-05 22:38 -------- d-----w- c:\program files\Opera
2009-12-29 19:17 . 2009-12-29 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-29 19:17 . 2009-12-31 02:30 -------- d-----w- c:\documents and settings\Ben\Application Data\SUPERAntiSpyware.com
2009-12-23 02:51 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-23 02:51 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-23 02:51 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-23 02:51 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-23 02:51 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-23 02:51 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2009-12-23 02:49 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-23 02:49 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-23 02:49 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-23 02:49 . 2009-12-23 20:14 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-23 02:49 . 2009-12-23 20:16 -------- d-----w- c:\program files\Spyware Doctor
2009-12-23 02:49 . 2010-01-19 23:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 19:56 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-22 19:56 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-12-22 19:56 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-12-22 19:56 . 2009-12-22 19:56 -------- d-----w- c:\program files\Alwil Software
2009-12-22 17:56 . 2009-12-22 17:56 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
2009-12-22 17:55 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 17:55 . 2009-12-22 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 17:55 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 17:55 . 2010-01-08 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 17:21 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 22:32 . 2009-03-19 17:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 17:25 . 2009-02-17 18:55 -------- d-----w- c:\program files\LogMeIn
2010-01-14 19:12 . 2009-12-18 23:22 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 17:55 . 2009-02-17 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 17:39 . 2009-02-17 21:58 -------- d-----w- c:\program files\QuoteTracker
2010-01-08 17:40 . 2009-12-31 17:33 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-23 22:28 . 2009-09-28 21:40 -------- d-----w- c:\program files\BitComet
2009-12-23 17:49 . 2009-02-17 17:42 -------- d-----w- c:\documents and settings\Ben\Application Data\Share-to-Web Upload Folder
2009-12-18 23:13 . 2009-03-06 23:54 -------- d-----w- c:\program files\pdfforge Toolbar
2009-12-18 23:12 . 2009-12-18 23:12 -------- d-----w- c:\program files\Trend Micro
2009-12-18 22:46 . 2009-12-18 22:46 -------- d-----w- c:\documents and settings\Ben\Application Data\AVG8
2009-12-18 21:38 . 2009-04-20 19:14 -------- d-----w- c:\documents and settings\Ben\Application Data\Paltalk
2009-12-18 01:33 . 2009-02-18 01:50 -------- d-----w- c:\program files\NJStar Communicator
2009-12-09 19:06 . 2009-12-09 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-03 02:45 . 2009-12-03 02:45 -------- d-----w- c:\documents and settings\Ben\Application Data\ESET
2009-12-03 02:44 . 2009-02-16 03:22 -------- d-----w- c:\program files\ESET
2009-11-24 22:15 . 2009-11-24 22:15 -------- d-----w- c:\program files\Citrix
2009-11-24 22:15 . 2009-12-18 20:19 70984 ----a-w- c:\documents and settings\HelpAssistant\g2mdlhlpx.exe
2009-11-24 22:15 . 2009-11-24 22:15 70984 ----a-w- c:\documents and settings\Ben\g2mdlhlpx.exe
2009-11-21 15:51 . 2006-02-28 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 17:51 . 2009-02-17 19:02 69816 ----a-w- c:\documents and settings\Ben\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-16 17:06 . 2009-11-16 17:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 17:06 . 2009-11-16 17:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 16:56 . 2009-11-16 16:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-10-29 07:45 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-17 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 16:45 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2009-11-16 17:03 2054360 ----a-w- c:\program files\ESET\ESET Smart Security\egui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10662:TCP"= 10662:TCP:BitComet 10662 TCP
"10662:UDP"= 10662:UDP:BitComet 10662 UDP
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/22/2009 6:49 PM 207792]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2/17/2009 10:55 AM 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/19/2009 2:18 AM 185640]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/22/2009 6:51 PM 112592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\li2465av.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffsearching.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85F20590]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7602f28
\Driver\ACPI -> ACPI.sys @ 0xf7475cb8
\Driver\atapi -> atapi.sys @ 0xf7407852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x85d16690
PacketIndicateHandler -> NDIS.sys @ 0xf7309a21
SendHandler -> NDIS.sys @ 0xf72e787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\zstatus.exe
.
**************************************************************************
.
Completion time: 2010-01-19 15:32:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 23:32

Pre-Run: 301,641,359,360 bytes free
Post-Run: 301,960,249,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4F0E17DADA16EA2D68D5CE20BE116B1C


GMer:

I had difficulty getting through this one, as my computer would freeze, or one time it went to a blue screen with the msg:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this error screen..."

And actually, this was the 2nd time I saw this error.

Sorry, I was not able to post the GMer file. I will try again, but thought I would post the other two logs first.

Thanks for your help.

Ben

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 21 January 2010 - 11:24 PM

Hi benben2086,



QUOTE
Sorry, I was not able to post the GMer file.

That's OK. You may skip Gmer part, and we take RootRepeal instead.

Step1

Start RootRepeal from your desktop, and rescan your computer as instructed in this thread.

When done, click Files tap in the bottom right and locate File Path: Volume C:\ and Status: MBR Rootkit Detected!

Right click Volume C:\ , and select Restore and Reboot Immediately as instructed in this thread . After that, rescan the computer and post the contents in your next reply.


Step2

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Step3

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Since your Firefox can't work properly, you're well advised to uninstall FF completely and do a clean reinstall. You may backup Bookmark before proceeding. Please go to Here and Here .


In your next reply, please post back:

1.RootRepeal log
2.GooredFix log
3.MBAM log

Tell me if you have any remaining issues on your pc.

Edited by sundavis, 21 January 2010 - 11:28 PM.


#7 benben2086

benben2086
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 25 January 2010 - 05:44 PM

Hi sundavis,

Please see logs:

Rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/25 13:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA6BE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B02000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA95B9000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

Goored:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 13:16 on 25/01/2010 (Ben)
Firefox version 3.5.7 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:31 23/12/2009]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [21:31 13/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [00:41 07/09/2009]

C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\li2465av.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:32 02/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:35 18/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:31 13/03/2009]

-=E.O.F=-

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3638
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 2:18:52 PM
mbam-log-2010-01-25 (14-18-52).txt

Scan type: Quick Scan
Objects scanned: 132571
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Will let you know if any more problems with my computer, so far so good.

Thank you,

Ben

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 25 January 2010 - 11:35 PM

Hi benben2086,


Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup). Click on Update tap and press Update now button to upgrade new version java and clear your java cache as instructed in this thread .

Other than that, your logs appear clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Please delete the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 30 January 2010 - 10:33 PM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users