Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Occasional Browser Link Hijack, Possible Mebroot infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 MrAutomation

MrAutomation

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 09 February 2010 - 02:28 PM

A while ago, I was infected by Mebroot. I believe that it is gone, but when I used FIXMBR from the CD recovery console, I receive an error message. I also receive the following message when running MBR.EXE from GMER:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x060950A
malicious code @ sector 0x060950D !
PE file found in sector at 0x0609523 !

I believe that using FIXMBR should remove the malicious code as well as the PE file, but it doesn't seem to work.

Next on the list is a link hijack that randomly shows up in Firefox. At times, when doing a Google search, the first item will redirect me to a page full of advertising, rather than the proper site. If I hit back and click the link again, it usually takes me to the proper site.

Attached below is my DDS log followed by my GMER log:


DDS (Ver_09-12-01.01) - FAT32x86
Run by Josh at 11:19:46.87 on Tue 02/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.575 [GMT -8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
E:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
E:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\UltraMon\UltraMon.exe
E:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
E:\Program Files\AJC Software\AJC Active Backup\AJCActBk.exe
E:\Program Files\Microsoft Office 97\Office\OSA.EXE
E:\Program Files\stickies\stickies.exe
C:\WINDOWS\explorer.exe
E:\Program Files\UltraMon\UltraMonTaskbar.exe
E:\Program Files\Scribe\Scribe.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
TB: StExBar: {367d8b32-f9fd-474b-8e65-9e521f35de99} - e:\program files\stexbar\StExBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AJC Active Backup] "e:\program files\ajc software\ajc active backup\AJCActBk.exe" -Online
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [UltraMon] "e:\program files\ultramon\UltraMon.exe" /auto
mRun: [avast5] e:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\josh\startm~1\programs\startup\office~1.lnk - e:\program files\microsoft office 97\office\OSA.EXE
StartupFolder: c:\docume~1\josh\startm~1\programs\startup\stickies.lnk - e:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264810593897
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {93B08541-9F6B-4697-9F9A-7058F1E33785} - hxxp://na.ntrsupport.com/nv/inquiero/mod/setup/ntractivex1182_2.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\0dej9fnh.default\
FF - plugin: e:\program files\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-10-25 77312]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-3 163280]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-3 19024]
R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R3 RDID1057;EDIROL UA-1EX;c:\windows\system32\drivers\Rdwm1057.sys [2009-10-25 139793]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S0 tcighkvf;tcighkvf; [x]
S0 zjmrr;zjmrr; [x]
UnknownUnknown vkquwexg;vkquwexg; [x]

=============== Created Last 30 ================

2010-02-09 18:01:54 0 d-sha-r- C:\cmdcons
2010-02-09 18:00:50 98816 ----a-w- c:\windows\sed.exe
2010-02-09 18:00:50 77312 ----a-w- c:\windows\MBR.exe
2010-02-09 18:00:50 261632 ----a-w- c:\windows\PEV.exe
2010-02-09 18:00:50 161792 ----a-w- c:\windows\SWREG.exe
2010-02-05 21:10:37 0 ----a-w- c:\documents and settings\josh\defogger_reenable
2010-02-03 16:48:34 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-02-03 16:36:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-03 16:20:29 293376 ----a-w- C:\t2t7v45w-gmer.exe
2010-02-02 23:56:19 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-02-02 23:54:59 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-02-02 23:52:41 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-02 23:52:33 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-02-02 23:04:45 0 d-----w- c:\docume~1\josh\applic~1\Canneverbe Limited
2010-02-02 22:39:02 138496 ------w- c:\windows\system32\dllcache\afd.sys
2010-02-02 22:38:21 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-02-02 22:38:20 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-02-02 22:38:09 35328 ------w- c:\windows\system32\dllcache\sc.exe
2010-02-02 22:38:09 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-02-02 22:38:08 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-02-02 22:38:08 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-02-02 22:38:08 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-02-02 22:38:07 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-02 22:38:06 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-02 22:38:04 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-02-02 22:37:33 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-02-02 22:37:11 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2010-02-02 22:37:02 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-02 22:36:56 333952 ------w- c:\windows\system32\dllcache\srv.sys
2010-02-02 22:36:50 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-02-02 22:36:31 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-02 22:36:14 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-02 22:36:03 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-02 22:34:59 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-01-30 01:38:29 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-01-30 01:23:53 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-30 01:02:15 20 ----a-w- c:\docume~1\josh\applic~1\anvkgp.dat
2010-01-30 00:55:00 1355 ----a-w- c:\windows\imsins.BAK
2010-01-30 00:53:52 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-01-30 00:30:26 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-01-30 00:19:55 0 d-----w- c:\windows\Performance
2010-01-30 00:18:59 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-01-30 00:05:25 0 d-----w- c:\docume~1\alluse~1\applic~1\33365323
2010-01-22 15:44:59 77312 ----a-w- C:\mbr.exe
2010-01-20 18:15:51 768 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-18 20:21:42 0 ----a-w- c:\windows\HPMProp.INI
2010-01-18 20:20:28 64024 ----a-w- c:\windows\system32\hppccompio.dll
2010-01-18 20:20:28 18944 ----a-w- c:\windows\system32\hppmopjl.dll
2010-01-18 20:20:27 299008 ----a-w- c:\windows\system32\hpmml094.dll
2010-01-18 20:20:27 249856 ----a-w- c:\windows\system32\hpmpm081.dll
2010-01-18 20:20:27 233472 ----a-w- c:\windows\system32\hpmtp094.dll
2010-01-18 20:20:27 225280 ----a-w- c:\windows\system32\hpmja094.dll
2010-01-18 20:20:27 208896 ----a-w- c:\windows\system32\hpmpw081.dll
2010-01-18 20:20:18 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2010-01-18 20:20:18 49252 ----a-w- c:\windows\system32\HPMNQUE.DLL
2010-01-18 20:20:18 49250 ----a-w- c:\windows\system32\HPMNNDPS.DLL
2010-01-18 20:20:18 161280 ----a-w- c:\windows\system32\hpcpn094.dll
2010-01-14 19:37:57 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-01-14 16:02:33 0 d-----w- c:\docume~1\josh\applic~1\AJC Software
2010-01-14 15:55:41 0 d-----w- c:\docume~1\alluse~1\applic~1\AJC Software
2010-01-14 14:59:24 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-12-22 05:21:06 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:21:06 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:04 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-12-04 19:12:02 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-12-04 19:11:44 372736 ----a-w- c:\windows\system32\hpmprein.dll
2009-12-04 19:11:24 86016 ----a-w- c:\windows\system32\hpmco094.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 11:19:55.25 ===============















GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-09 11:17:59
Windows 5.1.2600 Service Pack 3
Running: t2t7v45w-gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\uftdypod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5AE5C78]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5AE5B34]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF5AE60E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5AE6012]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5AE570A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5AE5C0E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5AE564A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5AE56AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5AE5D2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF5AE61B6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5AE5CEE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5AE5E6E]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF5AF252A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF5AF234E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF5AF2488]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


Thanks,

Josh

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 15 February 2010 - 07:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 MrAutomation

MrAutomation
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 15 February 2010 - 08:31 PM

Hello m0le, thanks for the reply. I am still watching this topic. Any help would be appreciated.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 15 February 2010 - 08:50 PM

You're right, the infected MBR gets removed by running Fixmbr but this is a new variant. Let's see if HelpAssistant is the cause of the problem.

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 MrAutomation

MrAutomation
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 16 February 2010 - 09:43 AM

OK, I got the log. I noticed that the HelpAssistant user is still on the system. When cleaning initially, I removed the profile from Documents and Settings, but obviously not the user. I've deleted the user "HelpAssistant" now.

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Josh\Desktop\Cleaning\sys35039.exe
Running in: User mode
Date: 2/16/2010
Time: 6:42:03 AM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest
Yes | HelpAssistant
Yes | Josh
| SUPPORT_388945a0 (Disabled)

### users folders

25/10/2009 20:57:28 (DIR) 0 byte 114 days old -- All Users
25/10/2009 20:57:28 (DIR) 0 byte 114 days old -- Default User
25/10/2009 21:27:54 (DIR) 0 byte 114 days old -- NetworkService
25/10/2009 21:27:56 (DIR) 0 byte 114 days old -- LocalService
25/10/2009 21:28:58 (DIR) 0 byte 114 days old -- Josh

### startup files in users folders

C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
C:\documents and settings\Josh\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Josh\Start Menu\Programs\Startup\Office Startup.lnk
C:\documents and settings\Josh\Start Menu\Programs\Startup\Stickies.lnk

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

Edited by MrAutomation, 16 February 2010 - 11:12 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 16 February 2010 - 04:23 PM

If you attempted to delete HelpAssistant can you run the SystemScan again please?
Posted Image
m0le is a proud member of UNITE

#7 MrAutomation

MrAutomation
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 16 February 2010 - 09:28 PM

Here's the new log:

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Josh\Desktop\Cleaning\sys6972.exe
Running in: User mode
Date: 2/16/2010
Time: 6:28:12 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest
Yes | Josh
| SUPPORT_388945a0 (Disabled)

### users folders

25/10/2009 20:57:28 (DIR) 0 byte 114 days old -- All Users
25/10/2009 20:57:28 (DIR) 0 byte 114 days old -- Default User
25/10/2009 21:27:54 (DIR) 0 byte 114 days old -- NetworkService
25/10/2009 21:27:56 (DIR) 0 byte 114 days old -- LocalService
25/10/2009 21:28:58 (DIR) 0 byte 114 days old -- Josh

### startup files in users folders

C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Josh\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Josh\Start Menu\Programs\Startup\Stickies.lnk

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 17 February 2010 - 02:47 PM

Nicely done clapping.gif

We need to check the registry is clear too.

Download Profiles by noahdfear

Double click the file and copy and paste the resulting log into your next reply.
Posted Image
m0le is a proud member of UNITE

#9 MrAutomation

MrAutomation
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 17 February 2010 - 05:21 PM

OK, here's the log:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-1078145449-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-1078145449-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Josh

SystemRoot REG_SZ C:\WINDOWS


And Here's the log after I removed the profile in Regedit:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-1078145449-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Josh

SystemRoot REG_SZ C:\WINDOWS



Edit:

It looks like that should clear things up for that, but there's one more question I had. There were a couple of services showing with DDS that looked suspect to me:

S0 tcighkvf;tcighkvf; [x]
S0 zjmrr;zjmrr; [x]

I've included a new dump from DDS, but those did show on the original dump as well.


DDS (Ver_09-12-01.01) - FAT32x86
Run by Josh at 14:23:10.28 on Wed 02/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.365 [GMT -8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
E:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\Program Files\UltraMon\UltraMon.exe
E:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
E:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\AJC Software\AJC Active Backup\AJCActBk.exe
E:\Program Files\UltraMon\UltraMonTaskbar.exe
SVCHOST.EXE
E:\Program Files\Microsoft Office 97\Office\OSA.EXE
E:\Program Files\stickies\stickies.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
E:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\Scribe\Scribe.exe
E:\Program Files\NTR global\Console\inquiero.exe
E:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
E:\Program Files\Audacity\audacity.exe
E:\Program Files\Microsoft Office 97\Office\MSACCESS.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Josh\Desktop\Cleaning\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StExBar: {367d8b32-f9fd-474b-8e65-9e521f35de99} - e:\program files\stexbar\StExBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AJC Active Backup] "e:\program files\ajc software\ajc active backup\AJCActBk.exe" -Online
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [UltraMon] "e:\program files\ultramon\UltraMon.exe" /auto
mRun: [avast5] e:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\josh\startm~1\programs\startup\stickies.lnk - e:\program files\stickies\stickies.exe
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264810593897
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {93B08541-9F6B-4697-9F9A-7058F1E33785} - hxxp://na.ntrsupport.com/nv/inquiero/mod/setup/ntractivex1182_2.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\0dej9fnh.default\
FF - plugin: e:\program files\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-10-25 77312]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-3 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-3 19024]
R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
R3 RDID1057;EDIROL UA-1EX;c:\windows\system32\drivers\Rdwm1057.sys [2009-10-25 139793]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S0 tcighkvf;tcighkvf; [x]
S0 zjmrr;zjmrr; [x]

=============== Created Last 30 ================

2010-02-17 20:59:44 64 ----a-w- c:\windows\system32\system.ldb
2010-02-13 00:21:41 0 d-sh--w- C:\Recycled
2010-02-12 22:41:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 22:41:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 22:41:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-10 22:07:59 0 d-----w- c:\windows\system32\CatRoot2
2010-02-09 18:01:54 0 d-sha-r- C:\cmdcons
2010-02-09 18:00:50 98816 ----a-w- c:\windows\sed.exe
2010-02-09 18:00:50 77312 ----a-w- c:\windows\MBR.exe
2010-02-09 18:00:50 261632 ----a-w- c:\windows\PEV.exe
2010-02-09 18:00:50 161792 ----a-w- c:\windows\SWREG.exe
2010-02-05 21:10:37 0 ----a-w- c:\documents and settings\josh\defogger_reenable
2010-02-03 16:48:34 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-02-03 16:36:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-03 16:20:29 293376 ----a-w- C:\t2t7v45w-gmer.exe
2010-02-02 23:56:19 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-02-02 23:54:59 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-02-02 23:52:41 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-02 23:52:33 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-02-02 23:04:45 0 d-----w- c:\docume~1\josh\applic~1\Canneverbe Limited
2010-02-02 22:39:02 138496 ------w- c:\windows\system32\dllcache\afd.sys
2010-02-02 22:38:21 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-02-02 22:38:20 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-02-02 22:38:09 35328 ------w- c:\windows\system32\dllcache\sc.exe
2010-02-02 22:38:09 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-02-02 22:38:08 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-02-02 22:38:08 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-02-02 22:38:08 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-02-02 22:38:07 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-02 22:38:06 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-02 22:38:04 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-02-02 22:37:33 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-02-02 22:37:11 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2010-02-02 22:37:02 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-02 22:36:56 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-02-02 22:36:50 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-02-02 22:36:31 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-02 22:36:14 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-02 22:36:03 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-02 22:34:59 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2010-01-30 01:38:29 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-01-30 01:23:53 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-01-30 01:02:15 20 ----a-w- c:\docume~1\josh\applic~1\anvkgp.dat
2010-01-30 00:55:00 1355 ----a-w- c:\windows\imsins.BAK
2010-01-30 00:53:52 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-01-30 00:30:26 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-01-30 00:19:55 0 d-----w- c:\windows\Performance
2010-01-30 00:18:59 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-01-30 00:05:25 0 d-----w- c:\docume~1\alluse~1\applic~1\33365323
2010-01-22 15:44:59 77312 ----a-w- C:\mbr.exe
2010-01-20 18:15:51 768 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2009-12-31 16:50:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21:06 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:21:06 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-22 05:21:04 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:52 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 19:12:02 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-12-04 19:11:44 372736 ----a-w- c:\windows\system32\hpmprein.dll
2009-12-04 19:11:24 86016 ----a-w- c:\windows\system32\hpmco094.dll
2009-12-04 18:53:54 161280 ----a-w- c:\windows\system32\hpcpn094.dll
2009-12-04 18:37:04 299008 ----a-w- c:\windows\system32\hpmml094.dll
2009-12-04 18:36:52 225280 ----a-w- c:\windows\system32\hpmja094.dll
2009-12-04 18:36:44 249856 ----a-w- c:\windows\system32\hpmpm081.dll
2009-12-04 18:36:34 208896 ----a-w- c:\windows\system32\hpmpw081.dll
2009-12-04 18:36:30 233472 ----a-w- c:\windows\system32\hpmtp094.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:36 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:36 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:36 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 14:23:39.06 ===============

Edited by MrAutomation, 17 February 2010 - 05:27 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 17 February 2010 - 08:03 PM

Good job. Ever thought about malware removal training? smile.gif

QUOTE
S0 tcighkvf;tcighkvf; [x]
S0 zjmrr;zjmrr; [x]


These were malicious services running at boot on the PC. The S means stopped and the [X] means there is no longer a file associated with the service.

In other words, these are harmless, disabled services. They can be removed, if you prefer. OTM instructions below.
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :Services
    tcighkvf
    zjmrr
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

That should lose them.

-----------------------------------------------------------------

The PC looks in good shape so we can call this a done deal.

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Mr Automation, Happy surfing!

Cheers.

m0le


Posted Image
m0le is a proud member of UNITE

#11 MrAutomation

MrAutomation
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 18 February 2010 - 12:50 AM

Thanks for all the help. It looks like everything is good now.

I had thought of doing training, but noticed that there wasn't any space available when I checked it out on the forum. I just finished checking some of the other forums and they look like they're full for training as well. Any suggestions?

I probably won't need much in the way of training. I mostly know the ins and outs of the system and can find things that aren't right. My main problem is just not knowing the tools that are available and how to use them.

Here's the OTM Log:

========== SERVICES/DRIVERS ==========
Service tcighkvf stopped successfully!
Service tcighkvf deleted successfully!
Service zjmrr stopped successfully!
Service zjmrr deleted successfully!

OTM by OldTimer - Version 3.1.8.0 log created on 02172010_213707

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 18 February 2010 - 07:05 AM

QUOTE(MrAutomation @ Feb 18 2010, 05:50 AM) View Post
I just finished checking some of the other forums and they look like they're full for training as well. Any suggestions?


My only suggestion is persevere. Training slots do open on all these sites but this is not a college where inductions are held regularly, these spaces only open up when trainees are promoted or drop out.

In my experience, trainees' turnover is quite quick.

Be patient and a slot will open up.

Good luck thumbup2.gif




Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 22 February 2010 - 08:46 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users