Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Search Links Redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 MDGATOR

MDGATOR

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 19 March 2010 - 12:13 PM

DDS (Ver_10-03-17.01) - NTFSx86
My computer keeps redirecting any links from a Google or Yahoo search whether I use Internet Explorer or Firefox. I have rund several kinds of spyware and malware removal programs but they have not stopped this from happening. I think I picked up a trojan from a song lyrics website two days ago when I noticed this problem happening. If I paste the search link urls in either browser, it works fine and I can access the sites but clicking the links results in a redirect to other business sites not related to my search or the url.

Below is the DDS txt and I have attached the DDS attachment and GMER logs.

Thank you in advance for your assistance.


Run by Ralph Rodriguez at 6:52:41.70 on Fri 03/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1259 [GMT -4:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot AntiVirus with Spy Sweeper *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ralph Rodriguez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = hxxp://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080911
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [Apoint] "c:\program files\delltpad\Apoint.exe"
mRun: [RTHDCPL] "c:\windows\RTHDCPL.EXE"
mRun: [Alcmtr] "c:\windows\ALCMTR.EXE"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Webroot Desktop Firewall] "c:\program files\webroot\webroot desktop firewall\WDF.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] "c:\program files\brother\brmfl06a\BrStDvPt.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter3] "c:\program files\brother\controlcenter3\brctrcen.exe" /autorun
mRun: [BrMfcWnd] "c:\program files\brother\brmfcmon\BrMfcWnd.exe" /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: PUFLITE - hxxp://ralphrodriguez1.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://reports.longandfoster.com/ScriptX/ScriptX.cab
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ralphr~1\applic~1\mozilla\firefox\profiles\mrx60if3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\ralph rodriguez\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\scenecaster\version 3.11.33\NPSceneCaster.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 103304]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-8 24652]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-10-19 1201640]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-9-11 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-9-11 43480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [2008-9-19 47488]

=============== Created Last 30 ================

2010-03-19 03:45:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-19 03:44:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-19 03:44:46 0 d-----w- c:\docume~1\ralphr~1\applic~1\SUPERAntiSpyware.com
2010-03-19 03:25:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-19 03:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-19 01:07:51 0 d-----w- c:\docume~1\ralphr~1\applic~1\Malwarebytes
2010-03-19 01:07:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 01:07:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 01:07:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-19 01:07:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-15 23:54:45 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 6:53:54.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 19 March 2010 - 03:44 PM

Good evening. smile.gif

Download HAMeb_check.exe by noahdfear from here and save it to your Desktop.
  • Double click the tool to run it - it will take a minute or two to complete.
  • Once complete it will open Notepad with the results and save a copy as HelpAsst.log to the root of your hard drive, usually C:\
  • Please post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#3 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 20 March 2010 - 11:03 PM

thanks and as per your request see the log below.

C:\Documents and Settings\Ralph Rodriguez\Desktop\HAMeb_check.exe
Sat 03/20/2010 at 23:55:18.92

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D00CA1]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 22 March 2010 - 03:07 PM

Good evening. smile.gif

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop - this is important.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Close all open programs as a reboot may be required.
  • Go to Start > Run, copy and paste the following into the text box and hit OK:

    "%userprofile%\desktop\tdsskiller\TDSSKiller.exe" -l report.txt

  • A Command Window will open and the tool will scan and produce a log called report.txt that can be found in the TDSSKiller folder that you unzipped.
  • If the tool prompts for a reboot, please allow it to do so; if it fails to reboot after prompting, reboot manually
Please post the contents of the log, report.txt, in your next reply.

So long, and thanks for all the fish.

 

 


#5 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 22 March 2010 - 03:47 PM

16:44:58:562 0792 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:44:58:562 0792 ================================================================================
16:44:58:562 0792 SystemInfo:

16:44:58:562 0792 OS Version: 5.1.2600 ServicePack: 3.0
16:44:58:562 0792 Product type: Workstation
16:44:58:562 0792 ComputerName: BUSINESSLAPTOP
16:44:58:562 0792 UserName: Ralph Rodriguez
16:44:58:562 0792 Windows directory: C:\WINDOWS
16:44:58:562 0792 Processor architecture: Intel x86
16:44:58:562 0792 Number of processors: 2
16:44:58:562 0792 Page size: 0x1000
16:44:58:562 0792 Boot type: Normal boot
16:44:58:562 0792 ================================================================================
16:44:58:562 0792 UnloadDriverW: NtUnloadDriver error 2
16:44:58:562 0792 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:44:58:750 0792 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:44:58:750 0792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:44:58:750 0792 wfopen_ex: Trying to KLMD file open
16:44:58:750 0792 wfopen_ex: File opened ok (Flags 2)
16:44:58:750 0792 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:44:58:750 0792 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:44:58:750 0792 wfopen_ex: Trying to KLMD file open
16:44:58:750 0792 wfopen_ex: File opened ok (Flags 2)
16:44:58:750 0792 Initialize success
16:44:58:750 0792
16:44:58:750 0792 Scanning Services ...
16:44:58:812 0792 Raw services enum returned 356 services
16:44:58:812 0792
16:44:58:812 0792 Scanning Kernel memory ...
16:44:58:812 0792 Devices to scan: 4
16:44:58:812 0792
16:44:58:812 0792 Driver Name: Disk
16:44:58:812 0792 IRP_MJ_CREATE : BA10EBB0
16:44:58:812 0792 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:44:58:812 0792 IRP_MJ_CLOSE : BA10EBB0
16:44:58:812 0792 IRP_MJ_READ : BA108D1F
16:44:58:812 0792 IRP_MJ_WRITE : BA108D1F
16:44:58:812 0792 IRP_MJ_QUERY_INFORMATION : 804F4562
16:44:58:812 0792 IRP_MJ_SET_INFORMATION : 804F4562
16:44:58:812 0792 IRP_MJ_QUERY_EA : 804F4562
16:44:58:812 0792 IRP_MJ_SET_EA : 804F4562
16:44:58:812 0792 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:44:58:812 0792 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:44:58:812 0792 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:44:58:812 0792 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:44:58:812 0792 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:44:58:812 0792 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:44:58:812 0792 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:44:58:812 0792 IRP_MJ_SHUTDOWN : BA1092E2
16:44:58:812 0792 IRP_MJ_LOCK_CONTROL : 804F4562
16:44:58:812 0792 IRP_MJ_CLEANUP : 804F4562
16:44:58:812 0792 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:44:58:812 0792 IRP_MJ_QUERY_SECURITY : 804F4562
16:44:58:812 0792 IRP_MJ_SET_SECURITY : 804F4562
16:44:58:812 0792 IRP_MJ_POWER : BA10AC82
16:44:58:812 0792 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:44:58:812 0792 IRP_MJ_DEVICE_CHANGE : 804F4562
16:44:58:812 0792 IRP_MJ_QUERY_QUOTA : 804F4562
16:44:58:812 0792 IRP_MJ_SET_QUOTA : 804F4562
16:44:58:843 0792 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:44:58:843 0792
16:44:58:843 0792 Driver Name: Disk
16:44:58:843 0792 IRP_MJ_CREATE : BA10EBB0
16:44:58:843 0792 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:44:58:843 0792 IRP_MJ_CLOSE : BA10EBB0
16:44:58:843 0792 IRP_MJ_READ : BA108D1F
16:44:58:843 0792 IRP_MJ_WRITE : BA108D1F
16:44:58:843 0792 IRP_MJ_QUERY_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_SET_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_EA : 804F4562
16:44:58:843 0792 IRP_MJ_SET_EA : 804F4562
16:44:58:843 0792 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:44:58:843 0792 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:44:58:843 0792 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:44:58:843 0792 IRP_MJ_SHUTDOWN : BA1092E2
16:44:58:843 0792 IRP_MJ_LOCK_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_CLEANUP : 804F4562
16:44:58:843 0792 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_SECURITY : 804F4562
16:44:58:843 0792 IRP_MJ_SET_SECURITY : 804F4562
16:44:58:843 0792 IRP_MJ_POWER : BA10AC82
16:44:58:843 0792 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:44:58:843 0792 IRP_MJ_DEVICE_CHANGE : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_QUOTA : 804F4562
16:44:58:843 0792 IRP_MJ_SET_QUOTA : 804F4562
16:44:58:843 0792 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:44:58:843 0792
16:44:58:843 0792 Driver Name: Disk
16:44:58:843 0792 IRP_MJ_CREATE : BA10EBB0
16:44:58:843 0792 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
16:44:58:843 0792 IRP_MJ_CLOSE : BA10EBB0
16:44:58:843 0792 IRP_MJ_READ : BA108D1F
16:44:58:843 0792 IRP_MJ_WRITE : BA108D1F
16:44:58:843 0792 IRP_MJ_QUERY_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_SET_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_EA : 804F4562
16:44:58:843 0792 IRP_MJ_SET_EA : 804F4562
16:44:58:843 0792 IRP_MJ_FLUSH_BUFFERS : BA1092E2
16:44:58:843 0792 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
16:44:58:843 0792 IRP_MJ_DIRECTORY_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_DEVICE_CONTROL : BA1093BB
16:44:58:843 0792 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
16:44:58:843 0792 IRP_MJ_SHUTDOWN : BA1092E2
16:44:58:843 0792 IRP_MJ_LOCK_CONTROL : 804F4562
16:44:58:843 0792 IRP_MJ_CLEANUP : 804F4562
16:44:58:843 0792 IRP_MJ_CREATE_MAILSLOT : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_SECURITY : 804F4562
16:44:58:843 0792 IRP_MJ_SET_SECURITY : 804F4562
16:44:58:843 0792 IRP_MJ_POWER : BA10AC82
16:44:58:843 0792 IRP_MJ_SYSTEM_CONTROL : BA10F99E
16:44:58:843 0792 IRP_MJ_DEVICE_CHANGE : 804F4562
16:44:58:843 0792 IRP_MJ_QUERY_QUOTA : 804F4562
16:44:58:843 0792 IRP_MJ_SET_QUOTA : 804F4562
16:44:58:843 0792 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:44:58:843 0792
16:44:58:843 0792 Driver Name: iaStor
16:44:58:843 0792 IRP_MJ_CREATE : 89D00CA1
16:44:58:843 0792 IRP_MJ_CREATE_NAMED_PIPE : 89D00CA1
16:44:58:843 0792 IRP_MJ_CLOSE : 89D00CA1
16:44:58:843 0792 IRP_MJ_READ : 89D00CA1
16:44:58:843 0792 IRP_MJ_WRITE : 89D00CA1
16:44:58:843 0792 IRP_MJ_QUERY_INFORMATION : 89D00CA1
16:44:58:843 0792 IRP_MJ_SET_INFORMATION : 89D00CA1
16:44:58:843 0792 IRP_MJ_QUERY_EA : 89D00CA1
16:44:58:843 0792 IRP_MJ_SET_EA : 89D00CA1
16:44:58:843 0792 IRP_MJ_FLUSH_BUFFERS : 89D00CA1
16:44:58:843 0792 IRP_MJ_QUERY_VOLUME_INFORMATION : 89D00CA1
16:44:58:843 0792 IRP_MJ_SET_VOLUME_INFORMATION : 89D00CA1
16:44:58:843 0792 IRP_MJ_DIRECTORY_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_FILE_SYSTEM_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_DEVICE_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_SHUTDOWN : 89D00CA1
16:44:58:843 0792 IRP_MJ_LOCK_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_CLEANUP : 89D00CA1
16:44:58:843 0792 IRP_MJ_CREATE_MAILSLOT : 89D00CA1
16:44:58:843 0792 IRP_MJ_QUERY_SECURITY : 89D00CA1
16:44:58:843 0792 IRP_MJ_SET_SECURITY : 89D00CA1
16:44:58:843 0792 IRP_MJ_POWER : 89D00CA1
16:44:58:843 0792 IRP_MJ_SYSTEM_CONTROL : 89D00CA1
16:44:58:843 0792 IRP_MJ_DEVICE_CHANGE : 89D00CA1
16:44:58:843 0792 IRP_MJ_QUERY_QUOTA : 89D00CA1
16:44:58:843 0792 IRP_MJ_SET_QUOTA : 89D00CA1
16:44:58:843 0792 Driver "iaStor" infected by TDSS rootkit!
16:44:58:843 0792 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
16:44:58:843 0792 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 16:44:58:843 0792 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
16:44:58:843 0792 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:44:58:875 0792 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
16:44:58:875 0792 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\ServicePackFiles\*) error 3
16:44:58:875 0792 !fdfb7
16:44:58:890 0792 !vdf5
16:44:58:890 0792 Backup copy not found, trying to cure infected file..
16:44:58:890 0792 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: Cure failed (0)
16:44:58:890 0792 cure failed
16:44:58:890 0792
16:44:58:890 0792 Completed
16:44:58:890 0792
16:44:58:890 0792 Results:
16:44:58:890 0792 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
16:44:58:890 0792 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:44:58:890 0792 File objects infected / cured / cured on reboot: 1 / 0 / 0
16:44:58:890 0792
16:44:58:890 0792 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:44:58:890 0792 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:44:58:890 0792 KLMD(ARK) unloaded successfully


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 23 March 2010 - 03:24 PM

Good evening. smile.gif

The removal tool has identified an infected file, but has been unable to either disinfect it or find a replacement. We'll start by seeing if we can locate one and then take it from there.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    iaStor.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#7 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 23 March 2010 - 06:35 PM

Thank you.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:33 on 23/03/2010 by Ralph Rodriguez (Administrator - Elevation successful)

========== filefind ==========

Searching for "iaStor.sys"
C:\drivers\storage\R179638\iastor.sys --a--c 305176 bytes [22:17 11/09/2008] [21:54 17/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 305176 bytes [22:17 11/09/2008] [13:55 21/03/2010] 2358C53F30CB9DCD1D3843C4E2F299B2

-=End Of File=-

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 24 March 2010 - 03:24 PM

Good evening. smile.gif

What concerns me is that the two files that have been identified appear to be identical. So either they are both infected, or they both aren't! In order to decide which it is, will you do the following:

Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

C:\drivers\storage\R179638\iastor.sys

When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#9 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 24 March 2010 - 06:26 PM

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.





--------------------------------------------------------------------------------

Filename: iaStor.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Mon 15 Feb 2010 09:53:20 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 305176 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 2358c53f30cb9dcd1d3843c4e2f299b2
SHA1: fa19676a1ff9712cb03ef32c0c3d42308700d8bb







Scanners
2010-02-10 Found nothing 2010-02-15 Found nothing
2010-02-15 Found nothing 2010-02-15 Found nothing
2010-02-14 Found nothing 2010-02-15 Found nothing
2010-02-14 Found nothing 2010-02-15 Found nothing
2010-02-15 Found nothing 2010-02-14 Found nothing
2010-02-15 Found nothing 2010-02-14 Found nothing
2010-02-15 Found nothing 2010-02-15 Found nothing
2010-02-15 Found nothing 2010-02-15 Found nothing
2010-02-15 Found nothing 2010-02-13 Found nothing
2010-02-14 Found nothing 2010-02-14 Found nothing


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 25 March 2010 - 06:57 PM

Good evening. smile.gif

Are your searches still getting redirected?

So long, and thanks for all the fish.

 

 


#11 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 25 March 2010 - 08:19 PM

Yes

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 26 March 2010 - 03:22 PM

Good evening. smile.gif

I was worried that would be the case - this means that the nasty is interfering with things.

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#13 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 26 March 2010 - 05:53 PM

Thanks.

ComboFix 10-03-26.02 - Ralph Rodriguez 03/26/2010 18:35:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1678 [GMT -4:00]
Running from: c:\documents and settings\Ralph Rodriguez\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot AntiVirus with Spy Sweeper *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
FW: Webroot Desktop Firewall *disabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
c:\progra~1\Webroot\SPYSWE~1\Backup\ntSVc.ocx

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-23 00:08 . 2010-03-23 00:08 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-22 20:26 . 2010-03-22 20:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-03-22 19:51 . 2010-03-22 19:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-03-22 19:51 . 2010-03-22 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-03-22 19:50 . 2010-03-22 19:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-22 19:50 . 2010-03-22 19:50 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-22 19:50 . 2010-03-22 19:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-22 15:04 . 2010-03-22 15:04 -------- d-sh--w- c:\documents and settings\Ralph Rodriguez\IECompatCache
2010-03-19 14:26 . 2010-03-19 14:26 93056 ----a-w- C:\uwldykob.sys
2010-03-19 03:45 . 2010-03-19 03:45 52224 ----a-w- c:\documents and settings\Ralph Rodriguez\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-19 03:45 . 2010-03-19 03:45 117760 ----a-w- c:\documents and settings\Ralph Rodriguez\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-19 03:45 . 2010-03-19 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-19 03:44 . 2010-03-19 03:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-19 03:44 . 2010-03-19 03:44 -------- d-----w- c:\documents and settings\Ralph Rodriguez\Application Data\SUPERAntiSpyware.com
2010-03-19 03:25 . 2010-03-19 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-19 03:25 . 2010-03-19 03:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-19 01:07 . 2010-03-19 01:47 -------- d-----w- c:\documents and settings\Ralph Rodriguez\Application Data\Malwarebytes
2010-03-19 01:07 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 01:07 . 2010-03-19 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 01:07 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 01:07 . 2010-03-19 01:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 20:23 . 2010-03-17 20:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-25 17:11 . 2010-03-18 14:19 -------- d-----w- c:\documents and settings\Ralph Rodriguez\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 00:36 . 2008-09-11 22:17 305176 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-19 03:44 . 2008-09-19 22:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-19 14:29 . 2009-05-16 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-19 14:06 . 2008-09-11 19:26 -------- d-----w- c:\program files\Google
2010-02-19 13:36 . 2010-02-19 13:36 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-18 14:36 . 2010-02-18 14:36 -------- d-----r- c:\documents and settings\Ivan\Application Data\Brother
2010-02-12 21:07 . 2010-02-12 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-12 15:11 . 2010-02-12 15:11 -------- d-----w- c:\documents and settings\Ivan\Application Data\CyberLink
2010-02-09 03:02 . 2010-02-09 03:02 -------- d-----w- c:\documents and settings\Ivan\Application Data\Webroot
2010-02-09 03:02 . 2010-02-09 03:02 127 ----a-w- c:\documents and settings\Ivan\Local Settings\Application Data\fusioncache.dat
2010-02-09 03:02 . 2010-02-09 03:02 71024 ----a-w- c:\documents and settings\Ivan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2008-04-25 16:16 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-16 18:42 . 2008-08-16 18:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 18:42 . 2008-08-16 18:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 18:42 . 2008-08-16 18:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 18:42 . 2008-08-16 18:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 18:43 . 2008-08-16 18:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 18:42 . 2008-08-16 18:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 18:42 . 2008-08-16 18:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 09:41 . 2008-05-21 09:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 09:41 . 2008-05-21 09:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 09:41 . 2008-05-21 09:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 14:58 . 2008-06-05 14:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 18:42 . 2008-08-16 18:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-05 19:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-19 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2008-02-21 16855552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-18 14:32 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 11:42 AM 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/31/2008 12:19 PM 103304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/8/2009 6:46 PM 24652]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [7/31/2008 12:19 PM 353672]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/19/2008 9:17 AM 1201640]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [9/11/2008 6:17 PM 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [9/11/2008 6:17 PM 43480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 10:06 AM 135664]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [9/19/2008 6:11 PM 47488]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 14:06]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 14:06]

2010-03-26 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:19]

2010-03-26 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080911
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: PUFLITE - hxxp://ralphrodriguez1.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
FF - ProfilePath - c:\documents and settings\Ralph Rodriguez\Application Data\Mozilla\Firefox\Profiles\mrx60if3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Ralph Rodriguez\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.33\NPSceneCaster.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\wdfproc.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(1168)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'explorer.exe'(2296)
c:\windows\system32\WININET.dll
c:\windows\system32\wdfproc.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-26 18:50:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 22:50

Pre-Run: 130,882,076,672 bytes free
Post-Run: 131,102,162,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 80AB91C69562DC8854D334A3174DD73F


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:04 AM

Posted 26 March 2010 - 09:44 PM

QUOTE
Let me know how the PC is behaving.

I think that your redirects may now be solved, but you'll need to let me know how it's behaving.

So long, and thanks for all the fish.

 

 


#15 MDGATOR

MDGATOR
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 27 March 2010 - 02:22 PM

All working now. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users