Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something I cannot get rid of, please help!


  • This topic is locked This topic is locked
15 replies to this topic

#1 curiousddd

curiousddd

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 07 April 2010 - 11:19 PM

Some of the main problems this virus is causing is google redirects, but thats just the most noticable. My computer is constantly malfunctioning. I've run many scanners, and I have tried many tuturials. Anyway, here is my log. Thank you so so much

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:49 AM, on 4/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Ad-Watch Live!] C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.iu.edu
O17 - HKLM\Software\..\Telephony: DomainName = ads.iu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.iu.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: rpcnetp - Unknown owner - C:\WINDOWS\System32\rpcnetp.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7332 bytes


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 11 April 2010 - 11:21 AM

Hi curiousddd
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this in normal mode.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
Save both reports to your desktop post the contents of the DDS logs here.


Also do this.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    Please uncheck the following settings that we do not want in our scan.
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This one is important, so do not miss it.)
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please post the DDS logs and the GMER log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 12 April 2010 - 07:11 PM

Thanks so much! I ran all the scans, but the gmer was pretty difficult. It kept freezing, even in safe mode. The one I finally posted is not finished, because the scan was literally taking hours. I hope its something you can work with. Again, thanks, your help means a lot.

Attached Files



#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 12 April 2010 - 08:53 PM

Hi
Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 13 April 2010 - 01:10 AM

here is it

Attached Files



#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 13 April 2010 - 11:13 AM

Hi
Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
CODE
KillAll::
File::
c:\documents and settings\Administrator\Local Settings\Application Data\2898336958.dll
c:\windows\Nmeji.dat
c:\windows\Aziwadolequ.bin


Please copy and paste the log into the thread it makes it easier to read.

Let me know how the machine is running.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 13 April 2010 - 03:27 PM

It seems a little better but I'm still getting redirects. Here is the log, it's really long


ComboFix 10-04-12.04 - Administrator 04/13/2010 15:47:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1548 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Administrator\Local Settings\Application Data\2898336958.dll"
"c:\windows\Aziwadolequ.bin"
"c:\windows\Nmeji.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\2898336958.dll
c:\windows\Aziwadolequ.bin
c:\windows\Nmeji.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-11 22:44 . 2010-04-11 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-08 04:14 . 2010-04-08 04:14 -------- d-----w- c:\program files\Trend Micro
2010-04-08 03:21 . 2010-04-08 02:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-08 02:09 . 2010-04-08 02:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-08 02:09 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-08 02:09 . 2010-04-08 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-08 02:09 . 2010-04-08 02:09 -------- d-----w- c:\program files\Lavasoft
2010-04-06 15:54 . 2010-04-06 15:54 2 --shatr- c:\windows\winstart.bat
2010-04-06 15:53 . 2010-04-07 03:09 -------- d-----w- c:\program files\UnHackMe
2010-04-03 04:15 . 2010-04-03 04:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-02 15:56 . 2010-04-02 15:56 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-02 15:21 . 2007-05-10 14:23 94208 ----a-w- c:\windows\system32\stacsv.exe
2010-04-02 15:21 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2010-04-02 15:21 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-04-02 15:21 . 2010-04-02 15:21 -------- d-----w- c:\program files\SigmaTel
2010-04-02 15:21 . 2007-08-21 13:58 146944 ----a-w- c:\windows\system32\st325602.dll
2010-04-02 15:21 . 2007-05-10 14:24 1222840 ----a-w- c:\windows\system32\drivers\sthda.sys
2010-04-02 15:21 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-04-02 15:02 . 2010-04-02 15:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment
2010-04-02 14:33 . 2010-04-02 14:33 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-02 14:33 . 2010-04-06 15:53 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 14:33 . 2010-04-02 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-02 14:32 . 2010-04-02 14:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-02 14:32 . 2010-04-02 14:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-02 14:32 . 2010-04-02 14:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-01 16:13 . 2010-04-01 16:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-01 16:12 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-01 16:12 . 2010-04-01 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 16:12 . 2010-04-01 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-01 16:12 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-01 04:34 . 2010-04-07 05:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-31 03:07 . 2010-03-31 03:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-31 03:02 . 2010-03-31 03:02 1405 ----a-w- c:\windows\system32\exefileFix.reg
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\16087\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\16087\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\16087\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\16087\AcrobatUpdater.exe
2010-03-20 18:32 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-20 18:32 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-20 18:31 . 2008-04-14 05:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-20 18:31 . 2008-04-14 05:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-17 06:42 . 2009-11-25 07:14 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-03-17 04:51 . 2005-01-19 21:42 212992 ----a-w- c:\windows\system32\ReWire.dll
2010-03-17 04:50 . 2010-03-17 06:49 -------- d-----w- c:\program files\Ableton
2010-03-15 02:57 . 2010-03-15 02:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AnvSoft
2010-03-15 02:57 . 2010-03-15 02:57 -------- d-----w- c:\program files\AnvSoft
2010-03-15 02:50 . 2010-03-15 02:50 -------- d-----w- c:\program files\Pure Motion
2010-03-15 02:50 . 2010-03-15 02:50 -------- d-----w- c:\program files\Sonic Foundry
2010-03-15 02:50 . 2010-03-15 03:00 -------- d-----w- c:\program files\DebugMode
2010-03-14 22:52 . 2010-04-13 19:55 -------- d-----w- c:\program files\Common Files\Akamai

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 19:55 . 2009-12-04 14:18 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-13 19:55 . 2009-12-05 20:11 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-13 19:43 . 2010-01-11 04:42 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-13 19:43 . 2010-01-02 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-13 00:40 . 2009-12-05 20:11 57752 ------w- c:\windows\system32\rpcnet.exe
2010-04-13 00:38 . 2009-12-04 20:48 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-12 21:55 . 2006-02-28 12:00 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-04-08 03:54 . 2009-12-05 19:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 03:14 . 2010-01-11 04:47 -------- d-----w- c:\program files\Secunia
2010-04-06 19:07 . 2009-12-05 20:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-02 15:21 . 2009-12-04 21:43 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-21 22:10 . 2009-12-05 19:42 79496 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 02:17 . 2009-12-05 20:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 02:16 . 2010-03-11 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-03-17 06:43 . 2010-01-03 20:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ableton
2010-03-17 04:51 . 2010-01-03 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2010-03-16 04:31 . 2009-12-05 19:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-12 03:44 . 2010-03-12 03:44 -------- d-----w- c:\program files\Cutout Pro
2010-03-11 21:43 . 2010-03-11 21:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ulead Systems
2010-03-11 21:38 . 2010-03-11 21:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\DigiCel
2010-03-11 07:15 . 2010-02-27 17:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 07:15 . 2010-03-11 07:15 -------- d-----w- c:\program files\Java
2010-03-11 07:14 . 2010-03-11 07:14 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-26 05:43 . 2006-02-28 12:00 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-18 22:11 . 2009-12-06 21:34 -------- d-----w- c:\program files\Paint.NET
2010-02-14 01:03 . 2010-02-14 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SynthMaker
2010-02-14 00:56 . 2010-02-14 00:56 -------- d-----w- c:\program files\ASIO4ALL v2
2010-02-14 00:55 . 2010-02-14 00:55 -------- d-----w- c:\program files\VstPlugins
2010-02-14 00:55 . 2010-02-14 00:52 -------- d-----w- c:\program files\Image-Line
2010-02-14 00:55 . 2010-02-14 00:55 -------- d-----w- c:\program files\Outsim
2010-02-14 00:35 . 2010-02-14 00:31 -------- d-----w- c:\program files\Acoustica Beatcraft
2010-02-14 00:31 . 2010-02-14 00:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-02-04 15:53 . 2010-04-08 02:22 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-19 05:51 . 2010-01-19 05:51 61988 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-07_23.29.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 10:07 . 2008-07-29 10:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2010-04-13 19:55 . 2010-04-13 19:55 16384 c:\windows\temp\Perflib_Perfdata_3cc.dat
+ 2010-04-13 19:55 . 2010-04-13 19:55 16384 c:\windows\temp\Perflib_Perfdata_2ac.dat
+ 2006-02-28 12:00 . 2010-04-13 19:47 68558 c:\windows\system32\perfc009.dat
+ 2010-04-08 02:22 . 2010-02-04 15:53 64288 c:\windows\system32\DRVSTORE\lbd_B425E86B28F27CC7F4A0CAF275F9F2789F3C6909\Lbd.sys
+ 2010-04-08 02:22 . 2010-04-08 02:22 95024 c:\windows\system32\drivers\SBREDrv.sys
+ 2009-12-05 19:32 . 2010-04-12 04:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 19:32 . 2009-12-05 19:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 19:32 . 2009-12-05 19:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-05 19:32 . 2010-04-12 04:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-08 02:09 . 2010-04-08 02:09 29926 c:\windows\Installer\{338F08AB-C262-42C7-B000-34DE1A475273}\_6FEFF9B68218417F98F549.exe
+ 2008-07-29 12:05 . 2008-07-29 12:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2006-02-28 12:00 . 2010-04-13 19:47 435828 c:\windows\system32\perfh009.dat
+ 2010-04-08 02:09 . 2010-04-08 02:09 167424 c:\windows\Installer\83a916.msi
+ 2010-04-08 02:08 . 2010-04-08 02:08 236032 c:\windows\Installer\83a908.msi
+ 2008-07-29 12:05 . 2008-07-29 12:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2010-04-08 02:09 . 2010-04-08 02:09 1859072 c:\windows\Installer\83a911.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-11 149280]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-04-01 16:28 2010864 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/7/2010 10:22 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 7:06 AM 169312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:22]

2010-04-12 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-02 16:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: iu.edu\ithelplive
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y2ygnof1.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 15:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D51AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9e1dbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e0ca0d
SendHandler -> NDIS.sys @ 0xb9e20b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(904)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2928)
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-13 16:01:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 20:01
ComboFix2.txt 2010-04-13 06:08
ComboFix3.txt 2010-04-07 23:31

Pre-Run: 105,223,737,344 bytes free
Post-Run: 105,196,752,896 bytes free

- - End Of File - - 3B783A1B92FEC904B189F9EB509C547F


#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 13 April 2010 - 04:05 PM

Hi

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 13 April 2010 - 07:10 PM

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:08 on 13/04/2010 (Administrator)
Firefox version 3.5.9 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:25 05/12/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [07:15 11/03/2010]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y2ygnof1.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [18:25 02/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:34 06/12/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [07:15 11/03/2010]

-=E.O.F=-

#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 13 April 2010 - 08:04 PM

Hi

Which browser is getting redirected?

Download and run HAMeb_check.exe
Post the contents of the resulting log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 14 April 2010 - 10:47 AM

Mozilla

C:\Documents and Settings\Administrator\My Documents\Downloads\HAMeb_check.exe
Wed 04/14/2010 at 11:43:44.63

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D51AC8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 14 April 2010 - 11:01 AM

Hi
OK please do this.

Please clear your Firefox cache.
Open Firefox
Click on Tools.
Click on Clear Private Data
Put a check in the Cache box
Click Clear Private Data Now.
OK any prompts.

Now this.
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Go to Start > Run and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  4. Vista users, Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  5. If TDSSKiller alerts you that the system needs to reboot, please consent.
  6. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Thanks
maranatha

Edited by maranatha, 14 April 2010 - 11:04 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 curiousddd

curiousddd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 14 April 2010 - 06:18 PM

19:14:12:810 3412 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:14:12:810 3412 ================================================================================
19:14:12:810 3412 SystemInfo:

19:14:12:810 3412 OS Version: 5.1.2600 ServicePack: 3.0
19:14:12:810 3412 Product type: Workstation
19:14:12:810 3412 ComputerName: BL-RH-JOSKRAUS
19:14:12:810 3412 UserName: Administrator
19:14:12:810 3412 Windows directory: C:\WINDOWS
19:14:12:810 3412 Processor architecture: Intel x86
19:14:12:810 3412 Number of processors: 2
19:14:12:810 3412 Page size: 0x1000
19:14:12:826 3412 Boot type: Normal boot
19:14:12:826 3412 ================================================================================
19:14:12:826 3412 UnloadDriverW: NtUnloadDriver error 2
19:14:12:826 3412 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:14:12:857 3412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:14:12:857 3412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:14:12:857 3412 wfopen_ex: Trying to KLMD file open
19:14:12:857 3412 wfopen_ex: File opened ok (Flags 2)
19:14:12:857 3412 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:14:12:857 3412 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:14:12:857 3412 wfopen_ex: Trying to KLMD file open
19:14:12:857 3412 wfopen_ex: File opened ok (Flags 2)
19:14:12:857 3412 Initialize success
19:14:12:857 3412
19:14:12:857 3412 Scanning Services ...
19:14:13:357 3412 Raw services enum returned 337 services
19:14:13:357 3412
19:14:13:357 3412 Scanning Kernel memory ...
19:14:13:372 3412 Devices to scan: 2
19:14:13:372 3412
19:14:13:372 3412 Driver Name: Disk
19:14:13:372 3412 IRP_MJ_CREATE : BA10EBB0
19:14:13:372 3412 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:14:13:372 3412 IRP_MJ_CLOSE : BA10EBB0
19:14:13:372 3412 IRP_MJ_READ : BA108D1F
19:14:13:372 3412 IRP_MJ_WRITE : BA108D1F
19:14:13:372 3412 IRP_MJ_QUERY_INFORMATION : 804F4562
19:14:13:372 3412 IRP_MJ_SET_INFORMATION : 804F4562
19:14:13:372 3412 IRP_MJ_QUERY_EA : 804F4562
19:14:13:372 3412 IRP_MJ_SET_EA : 804F4562
19:14:13:372 3412 IRP_MJ_FLUSH_BUFFERS : BA1092E2
19:14:13:372 3412 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:14:13:372 3412 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:14:13:372 3412 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:14:13:372 3412 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:14:13:372 3412 IRP_MJ_DEVICE_CONTROL : BA1093BB
19:14:13:372 3412 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
19:14:13:372 3412 IRP_MJ_SHUTDOWN : BA1092E2
19:14:13:372 3412 IRP_MJ_LOCK_CONTROL : 804F4562
19:14:13:372 3412 IRP_MJ_CLEANUP : 804F4562
19:14:13:372 3412 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:14:13:372 3412 IRP_MJ_QUERY_SECURITY : 804F4562
19:14:13:372 3412 IRP_MJ_SET_SECURITY : 804F4562
19:14:13:372 3412 IRP_MJ_POWER : BA10AC82
19:14:13:372 3412 IRP_MJ_SYSTEM_CONTROL : BA10F99E
19:14:13:372 3412 IRP_MJ_DEVICE_CHANGE : 804F4562
19:14:13:372 3412 IRP_MJ_QUERY_QUOTA : 804F4562
19:14:13:372 3412 IRP_MJ_SET_QUOTA : 804F4562
19:14:13:372 3412 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:14:13:372 3412
19:14:13:372 3412 Driver Name: atapi
19:14:13:372 3412 IRP_MJ_CREATE : 89D51AC8
19:14:13:372 3412 IRP_MJ_CREATE_NAMED_PIPE : 89D51AC8
19:14:13:372 3412 IRP_MJ_CLOSE : 89D51AC8
19:14:13:372 3412 IRP_MJ_READ : 89D51AC8
19:14:13:372 3412 IRP_MJ_WRITE : 89D51AC8
19:14:13:372 3412 IRP_MJ_QUERY_INFORMATION : 89D51AC8
19:14:13:372 3412 IRP_MJ_SET_INFORMATION : 89D51AC8
19:14:13:372 3412 IRP_MJ_QUERY_EA : 89D51AC8
19:14:13:372 3412 IRP_MJ_SET_EA : 89D51AC8
19:14:13:372 3412 IRP_MJ_FLUSH_BUFFERS : 89D51AC8
19:14:13:372 3412 IRP_MJ_QUERY_VOLUME_INFORMATION : 89D51AC8
19:14:13:372 3412 IRP_MJ_SET_VOLUME_INFORMATION : 89D51AC8
19:14:13:372 3412 IRP_MJ_DIRECTORY_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_FILE_SYSTEM_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_DEVICE_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_SHUTDOWN : 89D51AC8
19:14:13:372 3412 IRP_MJ_LOCK_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_CLEANUP : 89D51AC8
19:14:13:372 3412 IRP_MJ_CREATE_MAILSLOT : 89D51AC8
19:14:13:372 3412 IRP_MJ_QUERY_SECURITY : 89D51AC8
19:14:13:372 3412 IRP_MJ_SET_SECURITY : 89D51AC8
19:14:13:372 3412 IRP_MJ_POWER : 89D51AC8
19:14:13:372 3412 IRP_MJ_SYSTEM_CONTROL : 89D51AC8
19:14:13:372 3412 IRP_MJ_DEVICE_CHANGE : 89D51AC8
19:14:13:372 3412 IRP_MJ_QUERY_QUOTA : 89D51AC8
19:14:13:372 3412 IRP_MJ_SET_QUOTA : 89D51AC8
19:14:13:372 3412 Driver "atapi" infected by TDSS rootkit!
19:14:13:388 3412 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:14:13:388 3412 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 19:14:13:388 3412 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:14:13:388 3412 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:14:13:654 3412 vfvi6
19:14:13:747 3412 !dsvbh1
19:14:14:325 3412 dsvbh2
19:14:14:325 3412 fdfb2
19:14:14:325 3412 Backup copy found, using it..
19:14:14:356 3412 will be cured on next reboot
19:14:14:356 3412 Reboot required for cure complete..
19:14:14:356 3412 Cure on reboot scheduled successfully
19:14:14:356 3412
19:14:14:356 3412 Completed
19:14:14:356 3412
19:14:14:356 3412 Results:
19:14:14:356 3412 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
19:14:14:356 3412 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:14:14:356 3412 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:14:14:356 3412
19:14:14:356 3412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:14:14:356 3412 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:14:14:356 3412 UnloadDriverW: NtUnloadDriver error 1
19:14:14:356 3412 KLMD(ARK) unloaded successfully


#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 14 April 2010 - 09:36 PM

Hi
OK, now how is the machine running? Being redircted still?

Please download MBR.exe to your Desktop.
Double click MBR.exe and let it run, a file called mbr.log will appear on your desk top.
Please post the contents of that log in your next reply.


Please run GMER again and post the new log.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    Please uncheck the following settings that we do not want in our scan.
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This one is important, so do not miss it.)
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please post the MBR log and the GMER log.

Thanks
maranatha

Edited by maranatha, 14 April 2010 - 09:48 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:17 PM

Posted 18 April 2010 - 10:39 AM

Hi
If you still require help. please respond to this thread or it will be closed in 48 hours.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users