Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect from yahoo/google can't update or run malware


  • This topic is locked This topic is locked
28 replies to this topic

#1 iamnothing

iamnothing

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 21 February 2010 - 09:36 PM

like many others here i seem to have the redirect virus from yahoo, google, etc. additionally, i am unable to make any updates to windows or malwarebytes. if i run malwarebytes it will usually scan to about 21,000 files and then goes to a blues screen, saying DRIVER IRQL NOT LESS OR EQUAL, upon restart everything appears to work normally but continues to redirect.
when i attempt to update malwarebytes i get the 732 error message. i have followed the instructions to fix this from another thread but it did not work. i also have access to another uninfected computer and downloaded a "clean" version of malwarebytes, installed it to the infected computer but it will still not update and the computer goes to blue screen after scanning for several minutes.
after examining another related thread i also looked into the device manager for a suspect file but going through control panel>system>hardware>device manager>view>show hidden devices. within that there is an exclamation mark in yellow next to the entry DS1410D. i disabled this, rebooted, and tried to update malwarebytes but it did nothing.
i have only tried these things in an attempt to solve this problem on my own and save some time for all the helpful people here and not to circumvent the rules of this community. but it seems that i do not have the skills to do this. thanks so much and i hope to speak with someone soon.

i use the following programs that might pertain to this issue:

ccleaner- for general clean up
advanced registry optimizer- same
a-squared free- virus/malware
malewarebyte's anti-malware- virus/malware

Mcafee came with the original computer but has expired. i have not uninstalled it because i am afraid to at the present time.

computer info:

Dell Dimension DIM2400
MS Windows XP Home Service Pack 3
Intel Celeron CPU 2.4GHz, 256 GB RAM Intel 82845G/GL/GE/PE/GV Graphics Controller

thanks again!!

Edited by Orange Blossom, 21 February 2010 - 09:46 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 February 2010 - 09:08 PM

could anyone help me with this? i aplogize for bumping but i gotten no responses after 7days. thanks again.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 28 February 2010 - 10:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 01 March 2010 - 02:39 AM

fireman4it,
thanks so much for responding. no worries about the delay, just thought i might have gotten lost in the shuffle. you guys do a great job. I am posting the DDS log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian at 22:54:32.44 on Sun 02/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.40 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Brian\My Documents\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 218.2.104.199:80
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [DellSupport-] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://cc.porsche.com/pva_new/ui/pva/application/bpModules/interior_3D.jsp?pluginsInstalled=true&RT=1244733022156"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\brian\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174980747884
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.117,93.188.161.65
TCP: {DA41347C-5873-479B-8BA6-BD45E46A84D9} = 93.188.163.117,93.188.161.65
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-27 16:48:26 0 d-----w- c:\docume~1\brian\applic~1\SUPERAntiSpyware.com
2010-02-27 16:47:15 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-22 05:38:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-22 05:37:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-21 04:10:59 0 d-----w- c:\program files\Sun
2010-02-21 04:10:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-02-21 04:08:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-07 04:33:19 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-30 20:42:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 22:58:26.80 ===============


i was unable to successfully run the gmer program. it ran for a while and when i came back to my computer it had entered a blue screen and said the following:

stop: d0000144
unknown hard error
beginning dump of physical memory
physical memory dump completed

i then restarted my computer. there does not seem to be any new problems but the original ones persist.
thanks again

Edited by iamnothing, 01 March 2010 - 02:41 AM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 01 March 2010 - 08:06 PM

Hello iamnothing,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
Rootrepeal log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 01 March 2010 - 09:18 PM

fireman4it,
thanks so much for the quick reply. i am going to transfer some photos and other files to an external hard drive in case i lose everthing and then begin the steps that you outlined. speak to you soon and thanks again!

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 01 March 2010 - 10:26 PM

Hello,

You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions . Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Note:
Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.




" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 02 March 2010 - 03:54 PM

fireman4it,
i am posting the requested logs below. if i do a search in google or yahoo i am still getting redirected. i did not try to update malwarebytes or run anything else until i spoke with you. thanks again!


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/02 00:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF06F8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9798000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF02E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_lk3s2hjpfqazkvi
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ma7ix4sibrgaxak
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_xjyawncbouan0if
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_y9lgqyh3znthq8k
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\brian\local settings\temp\~df96e7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\brian\local settings\temp\~dfa188.tmp
Status: Allocation size mismatch (API: 98304, Raw: 16384)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xf0810320

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 4012) Address: 0x10000000 Size: 204800

Object: Hidden Module [Name: z00clicker.dll]
Process: iexplore.exe (PID: 2744) Address: 0x10000000 Size: 204800

==EOF==



ComboFix 10-03-02.02 - Brian 03/02/2010 15:18:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.91 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-01 18:34 . 2010-03-01 18:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-27 16:48 . 2010-02-27 16:48 -------- d-----w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-22 06:13 . 2010-02-22 06:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-22 05:38 . 2010-02-22 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-22 05:37 . 2010-02-27 16:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-21 23:47 . 2010-02-21 23:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-21 04:10 . 2010-02-21 04:10 -------- d-----w- c:\program files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 04:10 . 2009-12-01 17:40 -------- d-----w- c:\documents and settings\Brian\Application Data\vlc
2010-02-27 16:50 . 2010-02-27 16:50 52224 ----a-w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-27 16:50 . 2010-02-27 16:50 117760 ----a-w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-24 04:43 . 2005-04-22 05:07 -------- d-----w- c:\program files\Soulseek
2010-02-22 06:13 . 2010-02-22 06:13 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-22 06:13 . 2010-02-22 06:13 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-22 00:12 . 2009-06-24 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 04:13 . 2005-03-18 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 04:08 . 2009-03-15 13:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 04:02 . 2005-03-18 04:46 -------- d-----w- c:\program files\Java
2010-01-26 01:10 . 2009-01-31 11:07 -------- d-----w- c:\program files\a-squared Free
2010-01-07 21:07 . 2009-06-24 02:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-24 02:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 15:54 . 2009-12-26 15:54 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellSupport-"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-18 26112]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-2-12 2746104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15276:TCP"= 15276:TCP:soulseek

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/31/2009 6:07 AM 1858144]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/19/2008 8:08 AM 206096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 0104781239909018mcinstcleanup;McAfee Application Installer Cleanup (0104781239909018);c:\windows\TEMP\010478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-19 15:53]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-19 15:53]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 218.2.104.199:80
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x81B248C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf92a6f28
\Driver\ACPI -> ACPI.sys @ 0xf9219cb8
\Driver\atapi -> atapi.sys @ 0xf91d4b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf90ddbb0
PacketIndicateHandler -> NDIS.sys @ 0xf90eaa21
SendHandler -> NDIS.sys @ 0xf90c887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-03-02 15:44:48
ComboFix-quarantined-files.txt 2010-03-02 20:44

Pre-Run: 51,019,583,488 bytes free
Post-Run: 51,049,930,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5FD8218267CC59BCC94F6788F94DB762


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 02 March 2010 - 07:59 PM

Hello,

1.
Please update Malwarebytes and run a full scan. Please post the results.

2.
Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    atapi.sys

  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Things to include in your next reply:
MBAM log
Systemlook log
Redirects still there?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 03 March 2010 - 01:37 PM

fireman4it,
I was able to udpate malwarebytes. I started a FULL scan which took somewhere in the area of 2 hours. i had walked away from the computer and when i returned the computer restarted. an error message stated that the "computer had recovered from a serious error". if i look in the logs for malwarebytes the most recent one is from the beginning of february leading me to believe it didn't finish the scan.
i wanted to ask you if i should stay connected to the internet while scanning malwarebytes. and should i go ahead and download and use systemlook? Thanks so much. speak to you soon.

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 03 March 2010 - 07:46 PM

Hello iamnothing,

Please run Rkill then try to do a Quickscan with Malwarebytes.

If it works or not please download and use Systemlook.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 03 March 2010 - 10:25 PM

fireman4it,
ran rkill and then did malewarebytes quickscan. scanned for several minutes and went to blue screen stating IRQL not less or equal, beginning physical dump.
restarted, downloaded systemlook and ran. here the log.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:13 on 03/03/2010 by Brian (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [03:24 26/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [19:55 30/08/2008] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [20:41 02/03/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [23:09 29/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [04:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--c 95360 bytes [04:35 18/03/2005] [04:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

thanks for the continued help.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 03 March 2010 - 10:32 PM

Hello

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Things to include in your next reply:
Combofix.txt
Are the redirects still there?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 iamnothing

iamnothing
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 04 March 2010 - 01:49 AM

fireman4it
the redirect is still there. here is the log from combofix after putting the cfscript in.


ComboFix 10-03-02.02 - Brian 03/04/2010 0:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.96 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-01 18:34 . 2010-03-01 18:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-27 16:48 . 2010-02-27 16:48 -------- d-----w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-22 06:13 . 2010-02-22 06:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-22 05:38 . 2010-02-22 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-22 05:37 . 2010-02-27 16:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-21 23:47 . 2010-02-21 23:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-21 04:10 . 2010-02-21 04:10 -------- d-----w- c:\program files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 02:13 . 2009-12-01 17:40 -------- d-----w- c:\documents and settings\Brian\Application Data\vlc
2010-02-24 04:43 . 2005-04-22 05:07 -------- d-----w- c:\program files\Soulseek
2010-02-22 00:12 . 2009-06-24 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 04:13 . 2005-03-18 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 04:08 . 2009-03-15 13:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-21 04:02 . 2005-03-18 04:46 -------- d-----w- c:\program files\Java
2010-01-26 01:10 . 2009-01-31 11:07 -------- d-----w- c:\program files\a-squared Free
2010-01-07 21:07 . 2009-06-24 02:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-24 02:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 18:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DellSupport-"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-18 26112]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-2-12 2746104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15276:TCP"= 15276:TCP:soulseek

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/31/2009 6:07 AM 1858144]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/19/2008 8:08 AM 206096]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 0104781239909018mcinstcleanup;McAfee Application Installer Cleanup (0104781239909018);c:\windows\TEMP\010478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010478~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-19 15:53]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-19 15:53]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 218.2.104.199:80
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 01:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x81B508C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf92a6f28
\Driver\ACPI -> ACPI.sys @ 0xf9219cb8
\Driver\atapi -> atapi.sys @ 0xf91d4b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf90ddbb0
PacketIndicateHandler -> NDIS.sys @ 0xf90eaa21
SendHandler -> NDIS.sys @ 0xf90c887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-04 01:39:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 06:38
ComboFix2.txt 2010-03-02 20:44

Pre-Run: 50,993,901,568 bytes free
Post-Run: 51,017,134,080 bytes free

- - End Of File - - 959CC6535CE996238122DE036BB0023B


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:41 AM

Posted 04 March 2010 - 06:51 PM

Hello,
  • Download TDSSKiller and save it to your Desktop.


  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.



    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone

    .

  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users