Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google-redirecting Virus Removal


  • This topic is locked This topic is locked
61 replies to this topic

#1 celled20

celled20

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 April 2010 - 03:44 PM

Hello. I have been, countless times, redirected to the wrong page when I click google links. I'm directed arbitrarily, sometimes more often sometimes less often. I am getting annoyed. Please, kindly give me some help. This is a site that I'm annoyingly redirected to sometimes:
http://wigsforkids.com/search.php
GMERlog attached
DDS file attached
DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:14:58.93 on Thu 04/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.594 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100408-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [combofix] "c:\combofix\cf28964.cfxxe" /c "c:\combofix\C.bat"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\d8hofi47.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-9 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-11-15 353672]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-6-12 1858144]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-7-15 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-7-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-7-15 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-8-29 223128]

=============== Created Last 30 ================

2010-04-08 20:05:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-08 17:13:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-08 17:13:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 17:13:27 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-08 16:39:04 0 d-----w- c:\program files\Sun
2010-04-08 15:46:28 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-08 15:40:01 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 15:39:32 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 15:39:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-08 03:32:57 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-08 03:31:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 03:31:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 03:31:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 03:31:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 02:56:35 0 d---a-r- C:\autorun.inf
2010-03-17 21:16:08 0 d-----w- c:\program files\Windows Resource Kits
2010-03-10 13:28:23 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33:38 1025024 -c--a-w- c:\windows\system32\dllcache\browseui.dll

==================== Find3M ====================

2010-04-08 16:38:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 14:49:17 96384 -c--a-w- c:\windows\system32\drivers\sptddrv1.sys
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 13:16:41.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 08 April 2010 - 04:50 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 April 2010 - 05:27 PM

Still getting redirects. Ran combofix while anti-virus was disabled.
LOG:
ComboFix 10-04-07.04 - Owner 04/08/2010 15:03:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.531 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\tekkenfix.exe
AV: avast! antivirus 4.8.1368 [VPS 100408-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-08 17:27 . 2010-04-08 17:27 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-08 17:27 . 2010-04-08 17:27 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-08 17:27 . 2010-04-08 17:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-08 17:14 . 2010-04-08 17:14 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-08 17:14 . 2010-04-08 17:14 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-08 16:39 . 2010-04-08 16:39 -------- d-----w- c:\program files\Sun
2010-04-08 15:46 . 2010-04-08 15:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-08 15:40 . 2010-04-08 16:56 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 15:39 . 2010-04-08 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 15:39 . 2010-04-08 15:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 05:46 . 2010-04-08 05:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-08 03:32 . 2010-04-08 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-08 03:31 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 03:31 . 2010-04-08 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 03:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 03:31 . 2010-04-08 03:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 21:16 . 2010-03-17 21:16 -------- d-----w- c:\program files\Windows Resource Kits
2010-03-10 13:28 . 2009-10-23 15:28 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33 . 2010-03-10 04:33 1025024 -c--a-w- c:\windows\system32\dllcache\browseui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 21:20 . 2008-12-16 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\foobar2000
2010-04-08 17:13 . 2008-10-18 20:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 16:46 . 2003-10-11 12:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 16:44 . 2006-08-14 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-08 16:40 . 2003-10-11 10:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 16:38 . 2009-08-05 19:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 16:37 . 2003-10-11 10:51 -------- d-----w- c:\program files\Java
2010-04-08 14:49 . 2003-10-31 18:49 96384 -c--a-w- c:\windows\system32\drivers\sptddrv1.sys
2010-04-08 05:40 . 2010-04-08 06:02 79872 ----a-w- c:\windows\Internet Logs\xDB2A.tmp
2010-04-08 05:40 . 2010-04-08 06:02 3123712 ----a-w- c:\windows\Internet Logs\xDB2B.tmp
2010-04-08 02:37 . 2006-11-20 18:00 -------- d-----w- c:\program files\a-squared Free
2010-04-07 22:33 . 2008-11-28 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-04-07 02:26 . 2010-04-07 02:28 1575424 ----a-w- c:\windows\Internet Logs\xDB29.tmp
2010-04-07 00:30 . 2008-04-17 13:32 39441027 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-04-06 00:39 . 2006-09-04 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-04-05 01:33 . 2003-10-11 12:07 -------- d-----w- c:\program files\Common Files\Real
2010-04-05 01:27 . 2003-10-11 11:20 -------- d-----w- c:\program files\HP
2010-04-05 01:12 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 01:10 . 2006-11-11 20:59 -------- d-----w- c:\program files\Audacity
2010-04-02 01:01 . 2010-03-08 02:05 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-03-27 21:29 . 2010-03-27 21:29 99465 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_03_27_12_21_14_small.dmp.zip
2010-03-07 14:06 . 2010-03-07 16:54 270848 ----a-w- c:\windows\Internet Logs\xDB28.tmp
2010-02-28 03:58 . 2010-02-28 04:18 2686976 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2010-02-26 05:43 . 2006-06-23 18:33 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-20 14:36 . 2008-05-08 03:26 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 14:06 . 2010-02-13 14:06 -------- d-----w- c:\program files\Yahoo!
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-12-01 32768]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 172032]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-08 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-12-01 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-12-1 32768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/9/2009 7:47 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/12/2007 4:45 PM 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2009 7:47 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [8/29/2006 3:53 PM 223128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/29/2006 3:49 PM 611064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KXPCRPOW
*Deregistered* - kxpcrpow
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d8hofi47.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 15:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86892AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf743ecb8
\Driver\atapi -> atapi.sys @ 0xf73f6852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-08 15:22:06
ComboFix-quarantined-files.txt 2010-04-08 22:22
ComboFix2.txt 2010-04-08 15:16

Pre-Run: 1,288,892,416 bytes free
Post-Run: 1,241,833,472 bytes free

- - End Of File - - DAD566D12306F38FFBB07E26F3E546C6


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 08 April 2010 - 05:55 PM

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop - this is important.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Close all open programs as a reboot may be required.
  • Go to Start > Run, copy and paste the following into the text box and hit OK:

    "%userprofile%\desktop\tdsskiller\TDSSKiller.exe" -l report.txt

  • A Command Window will open and the tool will scan and produce a log called report.txt that can be found in the TDSSKiller folder that you unzipped.
  • If the tool prompts for a reboot, please allow it to do so; if it fails to reboot after prompting, reboot manually
Please post the contents of the log, report.txt, in your next reply.

So long, and thanks for all the fish.

 

 


#5 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 08 April 2010 - 06:39 PM

Still getting redirects, unfortunately. Report.txt log:

16:28:22:843 3644 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
16:28:22:843 3644 ================================================================================
16:28:22:843 3644 SystemInfo:

16:28:22:843 3644 OS Version: 5.1.2600 ServicePack: 3.0
16:28:22:843 3644 Product type: Workstation
16:28:22:843 3644 ComputerName: YOUR-W04GTXLD67
16:28:22:859 3644 UserName: Owner
16:28:22:859 3644 Windows directory: C:\WINDOWS
16:28:22:859 3644 Processor architecture: Intel x86
16:28:22:859 3644 Number of processors: 1
16:28:22:859 3644 Page size: 0x1000
16:28:22:859 3644 Boot type: Normal boot
16:28:22:859 3644 ================================================================================
16:28:22:859 3644 UnloadDriverW: NtUnloadDriver error 2
16:28:22:859 3644 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:28:22:890 3644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:28:22:890 3644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:28:22:890 3644 wfopen_ex: Trying to KLMD file open
16:28:22:890 3644 wfopen_ex: File opened ok (Flags 2)
16:28:22:890 3644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:28:22:890 3644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:28:22:890 3644 wfopen_ex: Trying to KLMD file open
16:28:22:890 3644 wfopen_ex: File opened ok (Flags 2)
16:28:22:890 3644 Initialize success
16:28:22:890 3644
16:28:22:890 3644 Scanning Services ...
16:28:23:343 3644 Raw services enum returned 367 services
16:28:23:359 3644
16:28:23:359 3644 Scanning Kernel memory ...
16:28:23:375 3644 Devices to scan: 5
16:28:23:375 3644
16:28:23:375 3644 Driver Name: Disk
16:28:23:375 3644 IRP_MJ_CREATE : F74CDBB0
16:28:23:375 3644 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:28:23:375 3644 IRP_MJ_CLOSE : F74CDBB0
16:28:23:375 3644 IRP_MJ_READ : F74C7D1F
16:28:23:375 3644 IRP_MJ_WRITE : F74C7D1F
16:28:23:375 3644 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:28:23:375 3644 IRP_MJ_SET_INFORMATION : 804FA88E
16:28:23:375 3644 IRP_MJ_QUERY_EA : 804FA88E
16:28:23:375 3644 IRP_MJ_SET_EA : 804FA88E
16:28:23:375 3644 IRP_MJ_FLUSH_BUFFERS : F74C82E2
16:28:23:375 3644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:28:23:375 3644 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:28:23:375 3644 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:28:23:375 3644 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:28:23:375 3644 IRP_MJ_DEVICE_CONTROL : F74C83BB
16:28:23:375 3644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
16:28:23:375 3644 IRP_MJ_SHUTDOWN : F74C82E2
16:28:23:375 3644 IRP_MJ_LOCK_CONTROL : 804FA88E
16:28:23:375 3644 IRP_MJ_CLEANUP : 804FA88E
16:28:23:375 3644 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:28:23:375 3644 IRP_MJ_QUERY_SECURITY : 804FA88E
16:28:23:375 3644 IRP_MJ_SET_SECURITY : 804FA88E
16:28:23:375 3644 IRP_MJ_POWER : F74C9C82
16:28:23:375 3644 IRP_MJ_SYSTEM_CONTROL : F74CE99E
16:28:23:375 3644 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:28:23:375 3644 IRP_MJ_QUERY_QUOTA : 804FA88E
16:28:23:375 3644 IRP_MJ_SET_QUOTA : 804FA88E
16:28:23:406 3644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:28:23:406 3644
16:28:23:406 3644 Driver Name: USBSTOR
16:28:23:406 3644 IRP_MJ_CREATE : F7754218
16:28:23:406 3644 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:28:23:406 3644 IRP_MJ_CLOSE : F7754218
16:28:23:406 3644 IRP_MJ_READ : F775423C
16:28:23:406 3644 IRP_MJ_WRITE : F775423C
16:28:23:406 3644 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:28:23:406 3644 IRP_MJ_SET_INFORMATION : 804FA88E
16:28:23:406 3644 IRP_MJ_QUERY_EA : 804FA88E
16:28:23:406 3644 IRP_MJ_SET_EA : 804FA88E
16:28:23:406 3644 IRP_MJ_FLUSH_BUFFERS : 804FA88E
16:28:23:406 3644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:28:23:406 3644 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:28:23:406 3644 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:28:23:406 3644 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:28:23:406 3644 IRP_MJ_DEVICE_CONTROL : F7754180
16:28:23:406 3644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F774F9E6
16:28:23:406 3644 IRP_MJ_SHUTDOWN : 804FA88E
16:28:23:406 3644 IRP_MJ_LOCK_CONTROL : 804FA88E
16:28:23:406 3644 IRP_MJ_CLEANUP : 804FA88E
16:28:23:406 3644 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:28:23:406 3644 IRP_MJ_QUERY_SECURITY : 804FA88E
16:28:23:406 3644 IRP_MJ_SET_SECURITY : 804FA88E
16:28:23:406 3644 IRP_MJ_POWER : F77535F0
16:28:23:406 3644 IRP_MJ_SYSTEM_CONTROL : F7751A6E
16:28:23:406 3644 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:28:23:406 3644 IRP_MJ_QUERY_QUOTA : 804FA88E
16:28:23:406 3644 IRP_MJ_SET_QUOTA : 804FA88E
16:28:23:421 3644 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
16:28:23:421 3644
16:28:23:421 3644 Driver Name: Disk
16:28:23:421 3644 IRP_MJ_CREATE : F74CDBB0
16:28:23:421 3644 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:28:23:421 3644 IRP_MJ_CLOSE : F74CDBB0
16:28:23:421 3644 IRP_MJ_READ : F74C7D1F
16:28:23:421 3644 IRP_MJ_WRITE : F74C7D1F
16:28:23:421 3644 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_QUERY_EA : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_EA : 804FA88E
16:28:23:421 3644 IRP_MJ_FLUSH_BUFFERS : F74C82E2
16:28:23:421 3644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_DEVICE_CONTROL : F74C83BB
16:28:23:421 3644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
16:28:23:421 3644 IRP_MJ_SHUTDOWN : F74C82E2
16:28:23:421 3644 IRP_MJ_LOCK_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_CLEANUP : 804FA88E
16:28:23:421 3644 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:28:23:421 3644 IRP_MJ_QUERY_SECURITY : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_SECURITY : 804FA88E
16:28:23:421 3644 IRP_MJ_POWER : F74C9C82
16:28:23:421 3644 IRP_MJ_SYSTEM_CONTROL : F74CE99E
16:28:23:421 3644 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:28:23:421 3644 IRP_MJ_QUERY_QUOTA : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_QUOTA : 804FA88E
16:28:23:421 3644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:28:23:421 3644
16:28:23:421 3644 Driver Name: Disk
16:28:23:421 3644 IRP_MJ_CREATE : F74CDBB0
16:28:23:421 3644 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:28:23:421 3644 IRP_MJ_CLOSE : F74CDBB0
16:28:23:421 3644 IRP_MJ_READ : F74C7D1F
16:28:23:421 3644 IRP_MJ_WRITE : F74C7D1F
16:28:23:421 3644 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_QUERY_EA : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_EA : 804FA88E
16:28:23:421 3644 IRP_MJ_FLUSH_BUFFERS : F74C82E2
16:28:23:421 3644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:28:23:421 3644 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_DEVICE_CONTROL : F74C83BB
16:28:23:421 3644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBF28
16:28:23:421 3644 IRP_MJ_SHUTDOWN : F74C82E2
16:28:23:421 3644 IRP_MJ_LOCK_CONTROL : 804FA88E
16:28:23:421 3644 IRP_MJ_CLEANUP : 804FA88E
16:28:23:421 3644 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:28:23:437 3644 IRP_MJ_QUERY_SECURITY : 804FA88E
16:28:23:437 3644 IRP_MJ_SET_SECURITY : 804FA88E
16:28:23:437 3644 IRP_MJ_POWER : F74C9C82
16:28:23:437 3644 IRP_MJ_SYSTEM_CONTROL : F74CE99E
16:28:23:437 3644 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:28:23:437 3644 IRP_MJ_QUERY_QUOTA : 804FA88E
16:28:23:437 3644 IRP_MJ_SET_QUOTA : 804FA88E
16:28:23:437 3644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
16:28:23:437 3644
16:28:23:437 3644 Driver Name: atapi
16:28:23:437 3644 IRP_MJ_CREATE : 86821AC8
16:28:23:437 3644 IRP_MJ_CREATE_NAMED_PIPE : 86821AC8
16:28:23:437 3644 IRP_MJ_CLOSE : 86821AC8
16:28:23:437 3644 IRP_MJ_READ : 86821AC8
16:28:23:437 3644 IRP_MJ_WRITE : 86821AC8
16:28:23:437 3644 IRP_MJ_QUERY_INFORMATION : 86821AC8
16:28:23:437 3644 IRP_MJ_SET_INFORMATION : 86821AC8
16:28:23:437 3644 IRP_MJ_QUERY_EA : 86821AC8
16:28:23:437 3644 IRP_MJ_SET_EA : 86821AC8
16:28:23:437 3644 IRP_MJ_FLUSH_BUFFERS : 86821AC8
16:28:23:437 3644 IRP_MJ_QUERY_VOLUME_INFORMATION : 86821AC8
16:28:23:437 3644 IRP_MJ_SET_VOLUME_INFORMATION : 86821AC8
16:28:23:437 3644 IRP_MJ_DIRECTORY_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_FILE_SYSTEM_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_DEVICE_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_SHUTDOWN : 86821AC8
16:28:23:437 3644 IRP_MJ_LOCK_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_CLEANUP : 86821AC8
16:28:23:437 3644 IRP_MJ_CREATE_MAILSLOT : 86821AC8
16:28:23:437 3644 IRP_MJ_QUERY_SECURITY : 86821AC8
16:28:23:437 3644 IRP_MJ_SET_SECURITY : 86821AC8
16:28:23:437 3644 IRP_MJ_POWER : 86821AC8
16:28:23:437 3644 IRP_MJ_SYSTEM_CONTROL : 86821AC8
16:28:23:437 3644 IRP_MJ_DEVICE_CHANGE : 86821AC8
16:28:23:437 3644 IRP_MJ_QUERY_QUOTA : 86821AC8
16:28:23:437 3644 IRP_MJ_SET_QUOTA : 86821AC8
16:28:23:437 3644 Driver "atapi" infected by TDSS rootkit!
16:28:23:468 3644 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
16:28:23:468 3644 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 16:28:23:468 3644 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
16:28:23:468 3644 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:28:23:609 3644 vfvi6
16:28:23:703 3644 !dsvbh1
16:28:26:328 3644 dsvbh2
16:28:26:343 3644 fdfb2
16:28:26:343 3644 Backup copy found, using it..
16:28:26:359 3644 will be cured on next reboot
16:28:26:359 3644 Reboot required for cure complete..
16:28:26:375 3644 Cure on reboot scheduled successfully
16:28:26:375 3644
16:28:26:375 3644 Completed
16:28:26:375 3644
16:28:26:390 3644 Results:
16:28:26:390 3644 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
16:28:26:390 3644 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:28:26:390 3644 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:28:26:390 3644
16:28:26:390 3644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:28:26:390 3644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:28:26:390 3644 UnloadDriverW: NtUnloadDriver error 1
16:28:26:390 3644 KLMD(ARK) unloaded successfully


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 09 April 2010 - 02:05 PM

Good evening. smile.gif

Did you allow the reboot?

So long, and thanks for all the fish.

 

 


#7 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 09 April 2010 - 04:15 PM

Good evening. smile.gif
Yes. I recall that I was prompted to press Y for the reboot.

Edited by celled20, 09 April 2010 - 04:15 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 09 April 2010 - 07:58 PM

Pity, I was hoping you hadn't. Ah well, try the following:

Download HAMeb_check.exe by noahdfear from here and save it to your Desktop.
  • Double click the tool to run it - it will take a minute or two to complete.
  • Once complete it will open Notepad with the results and save a copy as HelpAsst.log to the root of your hard drive, usually C:\
  • Please post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#9 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 09 April 2010 - 09:04 PM

Ok, here's the log:

C:\Documents and Settings\Owner\Desktop\HAMeb_check.exe
Fri 04/09/2010 at 19:03:25.28

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8679CAC8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 10 April 2010 - 02:20 PM

Good evening. smile.gif

For some reason the infected file that was identified doesn't appear to have been successfully replaced. If we can find a clean version on your machine we'll see if we can swop it for the infected version and Bob should be your Auntie's husband - hopefully!

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    *atapi*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#11 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 10 April 2010 - 04:17 PM

Ok, here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:14 on 10/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"
C:\cmdcons\atapi.sy_ --a--- 47242 bytes [03:28 13/08/2006] [19:00 29/08/2002] 4A425C994A72B0C6D7D19171A83EB78E
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys --a--c 95360 bytes [13:59 21/08/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtUninstallQ331958$\atapi.sys --a--c 86912 bytes [20:04 31/10/2003] [12:00 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [15:11 08/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\I386\ATAPI.SY_ --a--c 47242 bytes [10:01 11/10/2003] [19:00 29/08/2002] 4A425C994A72B0C6D7D19171A83EB78E
C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM --a--c 881 bytes [10:02 11/10/2003] [19:00 29/08/2002] FDA00ABB8831E4903E9442E9B01843ED
C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT --a--c 449 bytes [10:02 11/10/2003] [19:00 29/08/2002] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\ServicePackFiles\i386\atapi.sys --a--c 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [20:04 31/10/2003] [23:31 08/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

Edited by celled20, 10 April 2010 - 04:18 PM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 11 April 2010 - 02:06 PM

Good evening. smile.gif

Did you allow ComboFix to install the Recovery Console when you ran it?

So long, and thanks for all the fish.

 

 


#13 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 11 April 2010 - 03:05 PM

Hello. I'm not sure. What should I do?

Edit: Also, I'd like to note that I deleted the combofix.exe I had on my desktop, thinking I had to uninstall it. Although I think the actual way of uninstalling it invovles the "Run..." feature

Edited by celled20, 11 April 2010 - 03:41 PM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 AM

Posted 11 April 2010 - 04:50 PM

The link I provided, http://www.bleepingcomputer.com/combofix/how-to-use-combofix, explains the steps that you will see -
QUOTE
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:...

You will need to download a fresh copy of ComboFix, renaming it as before, and ensure that you are connected to the internet when you do so and allow CF to download and install the Recovery Console when it prompts.
I would like to see the resulting log, as before.

So long, and thanks for all the fish.

 

 


#15 celled20

celled20
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 11 April 2010 - 06:37 PM

Here is the log:

ComboFix 10-04-10.02 - Owner 04/11/2010 16:12:18.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.635 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\fomcoclick.exe
AV: avast! antivirus 4.8.1368 [VPS 100411-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 18:54 . 2010-04-11 18:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-09 23:18 . 2010-04-09 23:18 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-08 22:00 . 2010-04-08 22:22 -------- d-----w- C:\tekkenfix
2010-04-08 17:27 . 2010-04-08 17:27 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-08 17:27 . 2010-04-08 17:27 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-08 17:27 . 2010-04-08 17:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-08 17:14 . 2010-04-08 17:14 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-08 17:14 . 2010-04-08 17:14 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 17:13 . 2010-04-08 17:13 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-04-08 16:39 . 2010-04-08 16:39 -------- d-----w- c:\program files\Sun
2010-04-08 15:46 . 2010-04-08 15:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-08 15:40 . 2010-04-11 02:52 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 15:39 . 2010-04-08 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 15:39 . 2010-04-08 15:39 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 05:46 . 2010-04-08 05:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-08 03:32 . 2010-04-08 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-08 03:31 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 03:31 . 2010-04-08 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 03:31 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 03:31 . 2010-04-08 03:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 21:16 . 2010-03-17 21:16 -------- d-----w- c:\program files\Windows Resource Kits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 23:04 . 2006-09-04 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-04-11 22:18 . 2008-12-16 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\foobar2000
2010-04-11 19:19 . 2008-11-28 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-04-11 18:54 . 2009-03-02 15:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-11 17:40 . 2006-08-13 04:24 34360 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 23:31 . 2003-10-31 20:04 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 17:13 . 2008-10-18 20:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 16:46 . 2003-10-11 12:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 16:44 . 2006-08-14 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-08 16:40 . 2003-10-11 10:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 16:38 . 2009-08-05 19:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 16:37 . 2003-10-11 10:51 -------- d-----w- c:\program files\Java
2010-04-08 14:49 . 2003-10-31 18:49 96384 -c--a-w- c:\windows\system32\drivers\sptddrv1.sys
2010-04-08 05:40 . 2010-04-08 06:02 79872 ----a-w- c:\windows\Internet Logs\xDB2A.tmp
2010-04-08 05:40 . 2010-04-08 06:02 3123712 ----a-w- c:\windows\Internet Logs\xDB2B.tmp
2010-04-08 02:37 . 2006-11-20 18:00 -------- d-----w- c:\program files\a-squared Free
2010-04-07 02:26 . 2010-04-07 02:28 1575424 ----a-w- c:\windows\Internet Logs\xDB29.tmp
2010-04-07 00:30 . 2008-04-17 13:32 39441027 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-04-05 01:33 . 2003-10-11 12:07 -------- d-----w- c:\program files\Common Files\Real
2010-04-05 01:27 . 2003-10-11 11:20 -------- d-----w- c:\program files\HP
2010-04-05 01:12 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 01:10 . 2006-11-11 20:59 -------- d-----w- c:\program files\Audacity
2010-04-02 01:01 . 2010-03-08 02:05 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-03-27 21:29 . 2010-03-27 21:29 99465 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_03_27_12_21_14_small.dmp.zip
2010-03-07 14:06 . 2010-03-07 16:54 270848 ----a-w- c:\windows\Internet Logs\xDB28.tmp
2010-02-28 03:58 . 2010-02-28 04:18 2686976 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2010-02-26 05:43 . 2006-06-23 18:33 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-20 14:36 . 2008-05-08 03:26 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 14:06 . 2010-02-13 14:06 -------- d-----w- c:\program files\Yahoo!
.

((((((((((((((((((((((((((((( SnapShot@2010-04-08_22.15.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 19:27 . 2010-04-11 19:27 16384 c:\windows\Temp\Perflib_Perfdata_700.dat
+ 2010-04-11 19:27 . 2010-04-11 19:27 16384 c:\windows\Temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-12-01 32768]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 172032]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-08 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-12-01 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-12-1 32768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/9/2009 7:47 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/12/2007 4:45 PM 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2009 7:47 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [8/29/2006 3:53 PM 223128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/29/2006 3:49 PM 611064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d8hofi47.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 16:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867A7AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf743ecb8
\Driver\atapi -> atapi.sys @ 0xf73f6852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-11 16:31:07
ComboFix-quarantined-files.txt 2010-04-11 23:30
ComboFix2.txt 2010-04-08 22:22
ComboFix3.txt 2010-04-08 15:16

Pre-Run: 276,254,720 bytes free
Post-Run: 242,630,656 bytes free

- - End Of File - - 98CBE8C5CDFAEFFE33D6250E393B2376





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users