Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirection to unwanted websites & unable to update anti-malware


  • This topic is locked This topic is locked
22 replies to this topic

#1 menags

menags

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 22 February 2010 - 09:59 PM

Hi guys,

I have been getting redirected to unwanted websites when using google and have been unable to identify/remove the malware responsible through various downloaded security programs (AVG Free [I have since uninstalled this], Malwarebytes' Anti-Malware, SUPERAntiSpyware Repair, Avira Antivir)

AVG and Malwarebytes did detect some trojan horse malware which has since been removed however the problem still exists.

Also I have not been able to update Malwarebytes or SUPERAntiSpyware, upon attempting to check for updates the following error messages are returned for Malwarebytes and SUPERAntiSpyware respectively:

Malwarebytes:
"An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.
Error code: 732 (12029, 0)"

I have looked at the LAN settings on internet explorer and ensured that the box corresponding to "Use a proxy server for your LAN" is unchecked.

SUPERAntiSpyware:
"There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE.EXE from accessing the internet"

I have provided the DDS.txt log below and attached the attach.txt and ark.txt files.

Thanks a lot in advance for any assistance you are able to provide. thumbup2.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 8:33:08.60 on Tue 23/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2792 [GMT 8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telstra.com.au/business/
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {458FD880-8DB5-4689-B51C-62C4550AE586} = 93.188.165.186,93.188.166.24
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-22 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-22 55656]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-5-25 30192]

=============== Created Last 30 ================

2010-02-23 00:30:57 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-02-22 23:18:06 0 d-sha-r- C:\cmdcons
2010-02-22 23:16:53 98816 ----a-w- c:\windows\sed.exe
2010-02-22 23:16:53 77312 ----a-w- c:\windows\MBR.exe
2010-02-22 23:16:53 261632 ----a-w- c:\windows\PEV.exe
2010-02-22 23:16:53 161792 ----a-w- c:\windows\SWREG.exe
2010-02-22 23:16:44 0 d-----w- C:\ComboFix
2010-02-22 09:28:52 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 09:28:51 0 d-----w- c:\program files\Avira
2010-02-22 09:28:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-02-22 09:21:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 09:21:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 09:21:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 08:13:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-22 08:13:30 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 08:13:30 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-02-22 06:12:36 0 d-----w- c:\program files\CCleaner
2010-02-19 02:00:04 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-02-19 02:00:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 09:24:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-11 23:42:15 0 d-----w- c:\program files\AVG
2010-02-08 23:35:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-03-19 06:44:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-05-21 00:46:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052120090522\index.dat

============= FINISH: 8:33:24.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 24 February 2010 - 02:25 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 24 February 2010 - 02:36 PM

I see that you have ComboFix on your computer. Please delete ComboFix.exe off of your computer. Once that is done, then download the latest version of ComboFix from one of the links below. Be sure to save it to your Desktop.

Link 1
Link 2

Once ComboFix has finished downloading, run it.

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 menags

menags
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 25 February 2010 - 01:09 AM

Hi km2357,
Cheers for helping me out.

As requested I've deleted Combofix from my computer and installed the latest version from the link you provided.
The Combofix log produced from this combofix run is attached.

Regards,
Menags

Attached Files



#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 25 February 2010 - 02:37 PM

From now on, any logs that I ask for just post them normally please. Do not attach them. Thanks. smile.gif


Please run the following:Extract TDSSKiller.exe to your Desktop.

Run TDSSKiller.exe. You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.

If TDDSKiller does not reboot your computer, please reboot it.

Once your computer has rebooted, do the following:


Step # 1: Run Batchfile

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.

CODE
@echo off
mbr.exe -t
start mbr.log
del %0


Double click mbrlog.bat. A window will open and close. This is normal.


In your next post/reply, I need to see the following:

1. The TDSSKiller Log
2. The mbrlog.bat Log/Results

Edited by km2357, 25 February 2010 - 02:38 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 menags

menags
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 25 February 2010 - 07:38 PM

Sorry about that mate, wacko.gif

Please refer below for the TDSS Log followed by the mbr log.


08:24:11:765 0212 TDSS rootkit removing tool 2.2.7 Feb 25 2010 10:44:44
08:24:11:765 0212 ================================================================================
08:24:11:765 0212 SystemInfo:

08:24:11:765 0212 OS Version: 5.1.2600 ServicePack: 3.0
08:24:11:765 0212 Product type: Workstation
08:24:11:765 0212 ComputerName: BOSS
08:24:11:765 0212 UserName: User
08:24:11:765 0212 Windows directory: C:\WINDOWS
08:24:11:765 0212 Processor architecture: Intel x86
08:24:11:765 0212 Number of processors: 4
08:24:11:765 0212 Page size: 0x1000
08:24:11:765 0212 Boot type: Normal boot
08:24:11:765 0212 ================================================================================
08:24:11:796 0212 UnloadDriverW: NtUnloadDriver error 2
08:24:11:796 0212 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:24:11:843 0212 Initialize success
08:24:11:843 0212
08:24:11:843 0212 Scanning Services ...
08:24:11:843 0212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:24:11:859 0212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:24:11:859 0212 wfopen_ex: Trying to KLMD file open
08:24:11:859 0212 wfopen_ex: File opened ok (Flags 2)
08:24:11:859 0212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:24:11:859 0212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:24:11:859 0212 wfopen_ex: Trying to KLMD file open
08:24:11:859 0212 wfopen_ex: File opened ok (Flags 2)
08:24:12:234 0212 GetAdvancedServicesInfo: Raw services enum returned 334 services
08:24:12:234 0212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:24:12:234 0212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:24:12:234 0212
08:24:12:234 0212 Scanning Kernel memory ...
08:24:12:234 0212 Devices to scan: 10
08:24:12:234 0212
08:24:12:234 0212 Driver Name: Disk
08:24:12:234 0212 IRP_MJ_CREATE : BA0EEBB0
08:24:12:234 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:234 0212 IRP_MJ_CLOSE : BA0EEBB0
08:24:12:234 0212 IRP_MJ_READ : BA0E8D1F
08:24:12:234 0212 IRP_MJ_WRITE : BA0E8D1F
08:24:12:234 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:234 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:234 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:234 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:234 0212 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
08:24:12:234 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:234 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:234 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:234 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:234 0212 IRP_MJ_DEVICE_CONTROL : BA0E93BB
08:24:12:234 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
08:24:12:234 0212 IRP_MJ_SHUTDOWN : BA0E92E2
08:24:12:234 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:234 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:234 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:234 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:234 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:234 0212 IRP_MJ_POWER : BA0EAC82
08:24:12:234 0212 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
08:24:12:234 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:234 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:234 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:250 0212 sion
08:24:12:250 0212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:24:12:250 0212
08:24:12:250 0212 Driver Name: Disk
08:24:12:250 0212 IRP_MJ_CREATE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:250 0212 IRP_MJ_CLOSE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_READ : BA0E8D1F
08:24:12:250 0212 IRP_MJ_WRITE : BA0E8D1F
08:24:12:250 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:250 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:250 0212 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
08:24:12:250 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_DEVICE_CONTROL : BA0E93BB
08:24:12:250 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
08:24:12:250 0212 IRP_MJ_SHUTDOWN : BA0E92E2
08:24:12:250 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:250 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:250 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:250 0212 IRP_MJ_POWER : BA0EAC82
08:24:12:250 0212 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
08:24:12:250 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:250 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:250 0212 sion
08:24:12:250 0212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:24:12:250 0212
08:24:12:250 0212 Driver Name: Disk
08:24:12:250 0212 IRP_MJ_CREATE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:250 0212 IRP_MJ_CLOSE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_READ : BA0E8D1F
08:24:12:250 0212 IRP_MJ_WRITE : BA0E8D1F
08:24:12:250 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:250 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:250 0212 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
08:24:12:250 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_DEVICE_CONTROL : BA0E93BB
08:24:12:250 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
08:24:12:250 0212 IRP_MJ_SHUTDOWN : BA0E92E2
08:24:12:250 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:250 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:250 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:250 0212 IRP_MJ_POWER : BA0EAC82
08:24:12:250 0212 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
08:24:12:250 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:250 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:250 0212 sion
08:24:12:250 0212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:24:12:250 0212
08:24:12:250 0212 Driver Name: Disk
08:24:12:250 0212 IRP_MJ_CREATE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:250 0212 IRP_MJ_CLOSE : BA0EEBB0
08:24:12:250 0212 IRP_MJ_READ : BA0E8D1F
08:24:12:250 0212 IRP_MJ_WRITE : BA0E8D1F
08:24:12:250 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:250 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:250 0212 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
08:24:12:250 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:250 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:250 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:265 0212 IRP_MJ_DEVICE_CONTROL : BA0E93BB
08:24:12:265 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
08:24:12:265 0212 IRP_MJ_SHUTDOWN : BA0E92E2
08:24:12:265 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:265 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:265 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:265 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:265 0212 IRP_MJ_POWER : BA0EAC82
08:24:12:265 0212 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
08:24:12:265 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:265 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:265 0212 sion
08:24:12:265 0212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:24:12:265 0212
08:24:12:265 0212 Driver Name: USBSTOR
08:24:12:265 0212 IRP_MJ_CREATE : BA4A5218
08:24:12:265 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:265 0212 IRP_MJ_CLOSE : BA4A5218
08:24:12:265 0212 IRP_MJ_READ : BA4A523C
08:24:12:265 0212 IRP_MJ_WRITE : BA4A523C
08:24:12:265 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:265 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:265 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:265 0212 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:265 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:265 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:265 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:265 0212 IRP_MJ_DEVICE_CONTROL : BA4A5180
08:24:12:265 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4A09E6
08:24:12:265 0212 IRP_MJ_SHUTDOWN : 804F4562
08:24:12:265 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:265 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:265 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:265 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:265 0212 IRP_MJ_POWER : BA4A45F0
08:24:12:265 0212 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
08:24:12:265 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:265 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:265 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:281 0212 siohd: 0
08:24:12:281 0212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
08:24:12:281 0212
08:24:12:281 0212 Driver Name: USBSTOR
08:24:12:281 0212 IRP_MJ_CREATE : BA4A5218
08:24:12:281 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:281 0212 IRP_MJ_CLOSE : BA4A5218
08:24:12:281 0212 IRP_MJ_READ : BA4A523C
08:24:12:281 0212 IRP_MJ_WRITE : BA4A523C
08:24:12:281 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:281 0212 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_DEVICE_CONTROL : BA4A5180
08:24:12:281 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4A09E6
08:24:12:281 0212 IRP_MJ_SHUTDOWN : 804F4562
08:24:12:281 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:281 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_POWER : BA4A45F0
08:24:12:281 0212 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
08:24:12:281 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:281 0212 siohd: 0
08:24:12:281 0212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
08:24:12:281 0212
08:24:12:281 0212 Driver Name: USBSTOR
08:24:12:281 0212 IRP_MJ_CREATE : BA4A5218
08:24:12:281 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:281 0212 IRP_MJ_CLOSE : BA4A5218
08:24:12:281 0212 IRP_MJ_READ : BA4A523C
08:24:12:281 0212 IRP_MJ_WRITE : BA4A523C
08:24:12:281 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:281 0212 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_DEVICE_CONTROL : BA4A5180
08:24:12:281 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4A09E6
08:24:12:281 0212 IRP_MJ_SHUTDOWN : 804F4562
08:24:12:281 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:281 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_POWER : BA4A45F0
08:24:12:281 0212 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
08:24:12:281 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:281 0212 siohd: 0
08:24:12:281 0212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
08:24:12:281 0212
08:24:12:281 0212 Driver Name: USBSTOR
08:24:12:281 0212 IRP_MJ_CREATE : BA4A5218
08:24:12:281 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:281 0212 IRP_MJ_CLOSE : BA4A5218
08:24:12:281 0212 IRP_MJ_READ : BA4A523C
08:24:12:281 0212 IRP_MJ_WRITE : BA4A523C
08:24:12:281 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:281 0212 IRP_MJ_FLUSH_BUFFERS : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_DEVICE_CONTROL : BA4A5180
08:24:12:281 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4A09E6
08:24:12:281 0212 IRP_MJ_SHUTDOWN : 804F4562
08:24:12:281 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:281 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_POWER : BA4A45F0
08:24:12:281 0212 IRP_MJ_SYSTEM_CONTROL : BA4A2A6E
08:24:12:281 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:281 0212 siohd: 0
08:24:12:281 0212 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
08:24:12:281 0212
08:24:12:281 0212 Driver Name: Disk
08:24:12:281 0212 IRP_MJ_CREATE : BA0EEBB0
08:24:12:281 0212 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
08:24:12:281 0212 IRP_MJ_CLOSE : BA0EEBB0
08:24:12:281 0212 IRP_MJ_READ : BA0E8D1F
08:24:12:281 0212 IRP_MJ_WRITE : BA0E8D1F
08:24:12:281 0212 IRP_MJ_QUERY_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_EA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_EA : 804F4562
08:24:12:281 0212 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
08:24:12:281 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
08:24:12:281 0212 IRP_MJ_DIRECTORY_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_DEVICE_CONTROL : BA0E93BB
08:24:12:281 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
08:24:12:281 0212 IRP_MJ_SHUTDOWN : BA0E92E2
08:24:12:281 0212 IRP_MJ_LOCK_CONTROL : 804F4562
08:24:12:281 0212 IRP_MJ_CLEANUP : 804F4562
08:24:12:281 0212 IRP_MJ_CREATE_MAILSLOT : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_SET_SECURITY : 804F4562
08:24:12:281 0212 IRP_MJ_POWER : BA0EAC82
08:24:12:281 0212 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
08:24:12:281 0212 IRP_MJ_DEVICE_CHANGE : 804F4562
08:24:12:281 0212 IRP_MJ_QUERY_QUOTA : 804F4562
08:24:12:281 0212 IRP_MJ_SET_QUOTA : 804F4562
08:24:12:281 0212 sion
08:24:12:281 0212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
08:24:12:281 0212
08:24:12:281 0212 Driver Name: atapi
08:24:12:281 0212 IRP_MJ_CREATE : B9F14B3A
08:24:12:281 0212 IRP_MJ_CREATE_NAMED_PIPE : B9F14B3A
08:24:12:281 0212 IRP_MJ_CLOSE : B9F14B3A
08:24:12:281 0212 IRP_MJ_READ : B9F14B3A
08:24:12:281 0212 IRP_MJ_WRITE : B9F14B3A
08:24:12:281 0212 IRP_MJ_QUERY_INFORMATION : B9F14B3A
08:24:12:281 0212 IRP_MJ_SET_INFORMATION : B9F14B3A
08:24:12:281 0212 IRP_MJ_QUERY_EA : B9F14B3A
08:24:12:281 0212 IRP_MJ_SET_EA : B9F14B3A
08:24:12:281 0212 IRP_MJ_FLUSH_BUFFERS : B9F14B3A
08:24:12:281 0212 IRP_MJ_QUERY_VOLUME_INFORMATION : B9F14B3A
08:24:12:281 0212 IRP_MJ_SET_VOLUME_INFORMATION : B9F14B3A
08:24:12:281 0212 IRP_MJ_DIRECTORY_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_FILE_SYSTEM_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_DEVICE_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_SHUTDOWN : B9F14B3A
08:24:12:281 0212 IRP_MJ_LOCK_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_CLEANUP : B9F14B3A
08:24:12:281 0212 IRP_MJ_CREATE_MAILSLOT : B9F14B3A
08:24:12:281 0212 IRP_MJ_QUERY_SECURITY : B9F14B3A
08:24:12:281 0212 IRP_MJ_SET_SECURITY : B9F14B3A
08:24:12:281 0212 IRP_MJ_POWER : B9F14B3A
08:24:12:281 0212 IRP_MJ_SYSTEM_CONTROL : B9F14B3A
08:24:12:281 0212 IRP_MJ_DEVICE_CHANGE : B9F14B3A
08:24:12:281 0212 IRP_MJ_QUERY_QUOTA : B9F14B3A
08:24:12:281 0212 IRP_MJ_SET_QUOTA : B9F14B3A
08:24:12:296 0212 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
08:24:12:296 0212 TDL3_IrpHookDetect: New IrpHandler addr: 8A6938C8
08:24:12:296 0212 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
08:24:12:296 0212 Driver "atapi" Irp handler infected by TDSS rootkit ... 08:24:12:296 0212 cured
08:24:12:296 0212 siohd: 0
08:24:12:296 0212 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
08:24:12:296 0212 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 08:24:12:296 0212 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
08:24:12:296 0212 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
08:24:12:453 0212 vfvi6
08:24:12:515 0212 !dsvbh1
08:24:13:078 0212 dsvbh2
08:24:13:078 0212 fdfb2
08:24:13:078 0212 Backup copy found, using it..
08:24:13:109 0212 will be cured on next reboot
08:24:13:109 0212 Reboot required for cure complete..
08:24:13:140 0212 Cure on reboot scheduled successfully
08:24:13:140 0212
08:24:13:140 0212 Completed
08:24:13:140 0212
08:24:13:140 0212 Results:
08:24:13:140 0212 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
08:24:13:140 0212 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:24:13:140 0212 File objects infected / cured / cured on reboot: 1 / 0 / 1
08:24:13:140 0212
08:24:13:140 0212 UnloadDriverW: NtUnloadDriver error 1
08:24:13:140 0212 KLMD_Unload: UnloadDriverW(klmd21) error 1
08:24:13:140 0212 KLMD(ARK) unloaded successfully


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll tskB.tmp pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 26 February 2010 - 12:37 AM

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u18.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java™ 6 Update 12

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO



Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 01 March 2010 - 12:30 AM

menags? How are things coming along?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 menags

menags
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 02 March 2010 - 06:57 AM

Apologies for the delay km2357,

I have updated Java, run CCleaner and MalwareBytes' Anti-Malware as per your previous email.
All seemed to go pretty smoothly, the only thing I had trouble with was updating MalwareBytes (as instructed in Step #3 dot point 2) - I still recieve Error Code 732. Note however I still ran MalwareBytes and it did identify/remove some malware.

Please see below for MalwareBytes' Log and a fresh DDS Log:
Cheers,

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/03/2010 7:39:37 PM
mbam-log-2010-03-02 (19-39-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164074
Time elapsed: 16 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0B49162B-520A-414F-A18E-BB6BB179989B}\RP246\A0014752.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B49162B-520A-414F-A18E-BB6BB179989B}\RP248\A0015890.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B49162B-520A-414F-A18E-BB6BB179989B}\RP248\A0016047.sys (Malware.Trace) -> Quarantined and deleted successfully.



DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 19:44:57.53 on Tue 02/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2804 [GMT 8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.telstra.com.au/business/
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {458FD880-8DB5-4689-B51C-62C4550AE586} = 93.188.165.186,93.188.166.24
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-22 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-22 56816]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-5-25 30192]

=============== Created Last 30 ================

2010-02-27 06:07:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-27 05:43:36 0 d-----w- c:\windows\system32\appmgmt
2010-02-25 05:45:35 0 d-----w- C:\ComboFix
2010-02-23 00:30:57 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-02-22 23:18:06 0 d-sha-r- C:\cmdcons
2010-02-22 23:16:53 98816 ----a-w- c:\windows\sed.exe
2010-02-22 23:16:53 77312 ----a-w- c:\windows\MBR.exe
2010-02-22 23:16:53 261632 ----a-w- c:\windows\PEV.exe
2010-02-22 23:16:53 161792 ----a-w- c:\windows\SWREG.exe
2010-02-22 09:28:52 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 09:28:51 0 d-----w- c:\program files\Avira
2010-02-22 09:28:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-02-22 09:21:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 09:21:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 09:21:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 08:13:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-22 08:13:30 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-22 08:13:30 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-02-22 06:12:36 0 d-----w- c:\program files\CCleaner
2010-02-19 02:00:04 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-02-19 02:00:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 09:24:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-11 23:42:15 0 d-----w- c:\program files\AVG
2010-02-08 23:35:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-02-27 06:07:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-26 00:25:50 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-03-19 06:44:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-05-21 00:46:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052120090522\index.dat

============= FINISH: 19:45:12.50 ===============


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 02 March 2010 - 02:36 PM

For your problem with updating MalwareBytes', try following the steps at the website below and see if they fix your problem:

http://forums.malwarebytes.org/index.php?s...st&p=205544

If any of the three steps fix the problem, then update MBAM and run a Quick Scan and post the MalwareBytes' log in your next post/reply.

If they don't work, then try uninstalling MBAM and redownloading it from here and reinstalling it. Then try updating it and running a Quick Scan and posting the MBAM Log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 menags

menags
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 03 March 2010 - 05:09 AM

Hi km2357,

I followed the 3 steps presented on the MBAM forum without success (including adjusting registry settings by copying command at forum into run box [Step #1], ticking the box next to 'Automatically detect settings' under IE connections/LAN settings tab [Step #2], Adding MBAM file exceptions to Avira Antivir and Windows Firewall [Step #3]).

I also uninstalled and reinstalled MBAM from the link provided but still no luck. sad.gif

Note that I had to access all the links to MBAM forums and download files in your previous email from another computer as this computer is 'unable to display the webpage'. I suspect it is the remaining Malware, or some adjustment to the system caused by malware, doing this in an attempt to avoid removal?

I still ran another quick scan using the newly installed MBAM (no malware was found) and have posted the MBAM log below,

Menags

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/03/2010 5:55:25 PM
mbam-log-2010-03-03 (17-55-25).txt

Scan type: Quick Scan
Objects scanned: 118466
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 03 March 2010 - 02:29 PM

QUOTE
Note that I had to access all the links to MBAM forums and download files in your previous email from another computer as this computer is 'unable to display the webpage'. I suspect it is the remaining Malware, or some adjustment to the system caused by malware, doing this in an attempt to avoid removal?


Are any other sites blocked on your computer? For example, can you get to Bleepingcomputer.com or does that give you the 'unable to display webpage' error?

Let's try changing your Hosts file, which should stop whatever is blocking MalwareBytes.org on your computer:


Step # 1 Download HostsXpert

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your Desktop.
  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close HostsXpert

Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

Once your done with HostsXpert, reboot your computer and then see if you can update MBAM, if you can run another Quick Scan and post the log.

Edited by km2357, 03 March 2010 - 02:29 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 menags

menags
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 05 March 2010 - 05:53 AM

Hi km2357,

I tried a variety of sites that you might expect to be blocked/re-directed by malware (e.g. i did google searches on antivirus, antimalware, antispyware and entered a number of the sites displayed) all links worked fine except for MBAM sites (e.g. www.malwarebytes.org/ and forums.malwarebytes.org/)

The Bleepingcomputer.com site link works fine.

This is an improvement on the orignal situation (before you started helping me out) where I was being redirected to unwanted sites on occasion regardless of the type of link selected. Now it seems only to be the MBAM sites and instead of redirecting it just shows the 'unable to display the webpage' error.

I also downloaded and ran HostsXpert as per your advice. After rebooting I was still unable to update MBAM.

Menags



#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 05 March 2010 - 03:10 PM

Your problem with MBAM has got me stumped. I'm going to ask for some further help.

I'll be back ASAP. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:33 AM

Posted 05 March 2010 - 09:38 PM

Thanks to TeMerc for his help. smile.gif

Do you recognize the following IP addresses?:


93.188.165.186

93.188.166.24


I'd like for you to do the following for me:


Step # 1: Download and Run HijackThis

Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users