Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect + Can't run Trend Micro


  • This topic is locked This topic is locked
2 replies to this topic

#1 ransim

ransim

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 08 January 2010 - 10:52 AM

This started yesterday. I ran Malwarebytes and found trojan.dropper and removed it. However I'm still having the redirect issue (in both IE and Firefox and all search engines), I can't get any pages to load in Chrome at all (like it has no connection). I also can't run a Trend Micro Scan, and it fails with an error on boot.

On a side note I also can't seem to run Eclipse either, I get what appears to be a JVM error, so it seems like whatever this is, is blocking certain things from loading properly on my machine. Thanks for the help, this very frustrating and I can't get anything done.


DDS (Ver_09-12-01.01) - NTFSx86
Run by mwheel at 10:28:12.63 on Fri 01/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2102 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {FB5A545E-78AE-4297-81D8-4AA3FE707C91}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PNUpdate.exe
C:\WINDOWS\ProPatches\Scheduler\STSchedEx.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\DOCUME~1\mwheel\LOCALS~1\Temp\ppopup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\mwheel\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Trend Micro\OfficeScan Client\Temp\pccntupd.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\d755..2dc0_1929ee7691be43f4_0008.0000_be3737a248a6a8aa\TechnicianClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\mwheel\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
EB: DebugBar: {947e34e9-1d85-43cb-9cbf-5c492118fdd5} - c:\program files\core services\debugbar\DebugInfoBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\mwheel\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [pnuprdp] c:\windows\system32\rundll32 c:\windows\system32\pnuprdp.dll,RegisterVirtualChannel
mRun: [pnupica] c:\windows\system32\rundll32 c:\windows\system32\pnupica6.dll,RegisterVirtualChannel
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
uExplorerRun: [1] \\cinnamon\pcntutil\ppopup.exe /matchuser
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxp://berenstain.osa.org/officescan/console/ClientInstall/WinNTChk.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxp://berenstain.osa.org/officescan/console/ClientInstall/setup.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://fozzie/frxforecaster/cabs/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196097895077
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\P_FH.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mwheel\applic~1\mozilla\firefox\profiles\mob3qw4v.default\
FF - plugin: c:\documents and settings\mwheel\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: XUL Cache: {2F2A2328-A5E3-4615-8947-BDD363612AF9} - c:\documents and settings\mwheel\local settings\application data\{2F2A2328-A5E3-4615-8947-BDD363612AF9}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 PNUpdate;Provision Networks Update Service;c:\windows\system32\pnupdate.exe -run --> c:\windows\system32\PNUpdate.exe -RUN [?]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\STSchedEx.exe [2008-7-10 711008]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\tiremote\wuser32.exe [2007-5-23 311374]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-10-14 50192]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2006-9-6 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-9-6 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-9-18 54960]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2010-01-06 17:51:31 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-06 17:51:30 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-06 17:51:28 24576 ----a-w- c:\windows\system32\P_FH.DLL
2009-12-15 01:28:59 650752 ------w- c:\windows\system32\dot3ui.dll
2009-12-15 01:21:35 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2009-12-15 01:19:37 19569 ----a-w- c:\windows\000001_.tmp
2009-12-11 14:47:02 0 d-----w- c:\docume~1\mwheel\applic~1\Windows Desktop Search
2009-12-11 04:14:20 0 d-----w- c:\program files\common files\xing shared
2009-12-11 04:13:58 0 d-----w- c:\program files\common files\Real
2009-12-11 04:11:51 0 d-----w- c:\program files\Windows Media Connect 2
2009-12-11 04:07:03 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2009-12-11 04:05:43 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-12-11 04:05:43 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-12-11 04:05:42 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-12-11 04:05:42 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-12-11 04:04:36 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2009-12-11 04:00:45 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2009-12-11 04:00:45 57344 ------w- c:\windows\system32\uexfat.dll
2009-12-11 04:00:45 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2009-12-11 04:00:45 133632 ------w- c:\windows\system32\drivers\exfat.sys
2009-12-11 04:00:44 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2009-12-11 03:59:35 177152 -c----w- c:\windows\system32\dllcache\msctfime.ime
2009-12-11 03:57:16 8461824 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-12-11 03:56:22 330752 -c----w- c:\windows\system32\dllcache\ipnathlp.dll
2009-12-11 03:53:02 0 d-----w- c:\windows\system32\bits
2009-12-11 03:52:11 7168 ------w- c:\windows\system32\bitsprx4.dll
2009-12-11 03:49:35 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-12-11 03:32:36 0 d-----w- c:\windows\system32\en
2009-12-11 03:30:55 33792 ------w- c:\windows\system32\mmcperf.exe
2009-12-11 03:30:53 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll
2009-12-11 03:30:53 106496 ------w- c:\windows\system32\mmcfxcommon.dll
2009-12-11 03:12:07 0 d-----w- C:\70c1f9648a8a92f948

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 04:17:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 04:14:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-21 14:23:46 41972 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 10:29:26.45 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/08 10:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7A47000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA600000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6084000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\mwheel\local settings\temp\~df8de8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\mwheel\local settings\temp\~df2f8d.tmp
Status: Allocation size mismatch (API: 27365376, Raw: 16384)

Path: c:\documents and settings\mwheel\local settings\temp\~dfec0a.tmp
Status: Allocation size mismatch (API: 262144, Raw: 16384)

Path: c:\documents and settings\mwheel\local settings\temp\~df891e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Castle.DynamicProxy.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\{D755C235-08CC-4E78-86E8-587EF2832DC0}.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraEditors.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraVerticalGrid.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraTreeList.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraEditors.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraReports.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraPrinting.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraCharts.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.Utils.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.Data.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraPivotGrid.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Iesi.Collections.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Ionic.Utils.Zip.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Keyoti.RapidSpellMDict.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Keyoti.RapidSpell.NET2.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\log4net.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\Microsoft.mshtml.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraCharts.v7.3.UI.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraEditors.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraPivotGrid.v7.3.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraSideBar.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraTreeList.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraTreeList.Design.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraEditors.Design.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.Utils.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraNavBar.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraBars.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraGrid.v7.3.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\mwheel\Local Settings\Apps\2.0\4L84O1YG.LXJ\GX3T6RAN.M10\manifests\DevExpress.XtraLayout.v7.3.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8a4a9cc0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8a4a91c0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8a4a9480

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a4aab20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8a4aa240

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8a4aa500

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a4aacc0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a4a9740

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8a4a9f80

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a4a9a00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a4aa980

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x8a4ab2e0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a4ab100

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 ransim

ransim
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 11 January 2010 - 10:15 AM

I was able to resolve this issue on my own by using the Kapersky virus removal tool.

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:29 AM

Posted 14 January 2010 - 11:14 AM

Since this topic appears to be resolved, I will now close it. Thanks for letting us know! smile.gif

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users