Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TENACIOUS Google Redirect


  • This topic is locked This topic is locked
21 replies to this topic

#1 lpjunior

lpjunior

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 09 April 2010 - 12:07 PM

I've managed to contract that Google Redirect virus/malware thing. I actually managed to get it back in January, but was able to eventually remove it with Combofix. I tried that twice right away this time, to no avail. It's also resisted full scans with the latest updated versions of MalwareBytes and Super AntiSpyware (which a friend requested and actually caught some other things). I'm not sure where it's hiding, but when I did my GMER scan preparing for this post, it would scan for about ten minutes and then my laptop would reboot. Not sure what that's about.

Anyway, the meaty stuff:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kyle at 3:46:27.57 on Fri 04/09/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1344 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kyle\Desktop\World Peace\Defogger.exe
c:\dell\E-center\gtb2.exe
c:\dell\E-center\gtb.exe
c:\dell\E-center\gtb2.exe
C:\Documents and Settings\Kyle\Desktop\World Peace\dds.scr
c:\dell\E-center\gtb.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ECenter] "c:\dell\e-center\gtb.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Acecad.Wtxpload] c:\windows\acecad\Wtxpload.exe Acecad
mRun: [ZPOINT32] c:\windows\system32\ZPOINT32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\kyle\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flashcapture\fciext.dll/FCIEXT.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {ADBF6325-2452-48AD-BD26-5383565A85B6} = 205.171.3.65,205.171.2.65
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kyle\applic~1\mozilla\firefox\profiles\8jjit1oq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.co.in/search?btnG=Google+Search&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-11 24652]
S0 amcou;amcou;c:\windows\system32\drivers\txrmws.sys --> c:\windows\system32\drivers\txrmws.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-5-5 29184]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-13 42112]
S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;c:\windows\system32\drivers\mr97310v.sys --> c:\windows\system32\drivers\mr97310v.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-09 08:45:23 0 ----a-w- c:\documents and settings\kyle\defogger_reenable
2010-04-09 05:39:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 05:38:43 0 d-----w- c:\docume~1\kyle\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-08 18:28:08 0 d-sha-r- C:\cmdcons
2010-04-08 16:49:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-08 08:15:42 0 d-----w- C:\32788R22FWJFW(2)
2010-04-08 05:31:24 0 d---a-w- C:\cmdcons(2)

==================== Find3M ====================

2010-03-29 16:29:30 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-12 23:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-02-03 19:24:10 23084 ----a-w- c:\windows\hpqins15.dat
2010-01-09 23:04:42 64016 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 3:47:52.29 ===============

Any help would be greatly appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 11 April 2010 - 07:44 PM

Sorry to bump my topic, but I finally got GMER to run properly and have a log to upload along with the others. GMER says my atapi.sys has a "suspicious modification," don't know if that means anything. I also tried Spybot Search and Destroy on a friend's recommendation, and while it found some apparent malware, it didn't solve this problem.

Again, any help would be great.

Attached Files

  • Attached File  ark.txt   4.85KB   6 downloads


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 12 April 2010 - 12:09 PM

Hi,


BitLord
DC++


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 13 April 2010 - 01:21 AM

Removed those two programs, ran Combofix once more. Sadly it looks like it's still present, but I've included the Combofix and DDS logs.

Attached Files



#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 13 April 2010 - 10:27 AM

Please post dds.txt part too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 13 April 2010 - 11:28 AM

D'oh, my bad.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Kyle at 1:13:28.00 on Tue 04/13/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1402 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kyle\Desktop\World Peace\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ECenter] "c:\dell\e-center\gtb.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Acecad.Wtxpload] c:\windows\acecad\Wtxpload.exe Acecad
mRun: [ZPOINT32] c:\windows\system32\ZPOINT32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\kyle\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flashcapture\fciext.dll/FCIEXT.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {ADBF6325-2452-48AD-BD26-5383565A85B6} = 205.171.3.65,205.171.2.65
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kyle\applic~1\mozilla\firefox\profiles\8jjit1oq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.co.in/search?btnG=Google+Search&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-11 24652]
S0 amcou;amcou;c:\windows\system32\drivers\txrmws.sys --> c:\windows\system32\drivers\txrmws.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-5-5 29184]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-13 42112]
S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;c:\windows\system32\drivers\mr97310v.sys --> c:\windows\system32\drivers\mr97310v.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-12 01:13:03 0 d-----w- C:\Combo-Fix
2010-04-12 01:07:39 98816 ----a-w- c:\windows\sed.exe
2010-04-12 01:07:39 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 01:07:39 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 01:07:39 161792 ----a-w- c:\windows\SWREG.exe
2010-04-10 00:53:58 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 00:45:43 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 00:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-10 00:45:19 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 05:39:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 05:38:43 0 d-----w- c:\docume~1\kyle\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-08 18:28:08 0 d-sha-r- C:\cmdcons
2010-04-08 16:49:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-08 08:15:42 0 d-----w- C:\32788R22FWJFW(2)
2010-04-08 05:31:24 0 d---a-w- C:\cmdcons(2)

==================== Find3M ====================

2010-04-12 05:27:13 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-10 01:23:06 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 19:24:10 23084 ----a-w- c:\windows\hpqins15.dat

============= FINISH: 1:13:58.44 ===============


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 13 April 2010 - 11:36 AM

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 13 April 2010 - 11:49 AM

Successfully ran and posting;

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:45 on 13/04/2010 by Kyle (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\i386\atapi.sys --a--c 95360 bytes [14:16 22/04/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:51 20/09/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [01:56 21/02/2010] [01:23 10/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [02:27 30/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [03:59 04/08/2004] [01:23 10/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--c 95360 bytes [14:35 12/04/2006] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 13 April 2010 - 11:58 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe and wait for the process to finish.
3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 13 April 2010 - 12:17 PM

Ran successfully, says it found my atapi.sys was infected with a rootkit. EDIT: Should mention the redirects are still happening.

12:10:16:093 1752 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:10:16:093 1752 ================================================================================
12:10:16:093 1752 SystemInfo:

12:10:16:093 1752 OS Version: 5.1.2600 ServicePack: 3.0
12:10:16:093 1752 Product type: Workstation
12:10:16:093 1752 ComputerName: ELVIS
12:10:16:109 1752 UserName: Kyle
12:10:16:109 1752 Windows directory: C:\WINDOWS
12:10:16:109 1752 Processor architecture: Intel x86
12:10:16:109 1752 Number of processors: 2
12:10:16:109 1752 Page size: 0x1000
12:10:16:109 1752 Boot type: Normal boot
12:10:16:109 1752 ================================================================================
12:10:16:140 1752 UnloadDriverW: NtUnloadDriver error 2
12:10:16:140 1752 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:10:16:234 1752 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:10:16:234 1752 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:10:16:234 1752 wfopen_ex: Trying to KLMD file open
12:10:16:234 1752 wfopen_ex: File opened ok (Flags 2)
12:10:16:234 1752 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:10:16:234 1752 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:10:16:234 1752 wfopen_ex: Trying to KLMD file open
12:10:16:234 1752 wfopen_ex: File opened ok (Flags 2)
12:10:16:234 1752 Initialize success
12:10:16:234 1752
12:10:16:234 1752 Scanning Services ...
12:10:16:875 1752 Raw services enum returned 420 services
12:10:16:890 1752
12:10:16:890 1752 Scanning Kernel memory ...
12:10:16:890 1752 Devices to scan: 4
12:10:16:890 1752
12:10:16:890 1752 Driver Name: Disk
12:10:16:890 1752 IRP_MJ_CREATE : BA0EEBB0
12:10:16:890 1752 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:10:16:890 1752 IRP_MJ_CLOSE : BA0EEBB0
12:10:16:890 1752 IRP_MJ_READ : BA0E8D1F
12:10:16:890 1752 IRP_MJ_WRITE : BA0E8D1F
12:10:16:890 1752 IRP_MJ_QUERY_INFORMATION : 804F4562
12:10:16:890 1752 IRP_MJ_SET_INFORMATION : 804F4562
12:10:16:890 1752 IRP_MJ_QUERY_EA : 804F4562
12:10:16:890 1752 IRP_MJ_SET_EA : 804F4562
12:10:16:890 1752 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
12:10:16:890 1752 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:10:16:890 1752 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:10:16:890 1752 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:10:16:890 1752 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:10:16:890 1752 IRP_MJ_DEVICE_CONTROL : BA0E93BB
12:10:16:890 1752 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
12:10:16:890 1752 IRP_MJ_SHUTDOWN : BA0E92E2
12:10:16:890 1752 IRP_MJ_LOCK_CONTROL : 804F4562
12:10:16:890 1752 IRP_MJ_CLEANUP : 804F4562
12:10:16:890 1752 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:10:16:890 1752 IRP_MJ_QUERY_SECURITY : 804F4562
12:10:16:890 1752 IRP_MJ_SET_SECURITY : 804F4562
12:10:16:890 1752 IRP_MJ_POWER : BA0EAC82
12:10:16:890 1752 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
12:10:16:890 1752 IRP_MJ_DEVICE_CHANGE : 804F4562
12:10:16:890 1752 IRP_MJ_QUERY_QUOTA : 804F4562
12:10:16:890 1752 IRP_MJ_SET_QUOTA : 804F4562
12:10:16:937 1752 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:10:16:937 1752
12:10:16:937 1752 Driver Name: Disk
12:10:16:937 1752 IRP_MJ_CREATE : BA0EEBB0
12:10:16:937 1752 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:10:16:937 1752 IRP_MJ_CLOSE : BA0EEBB0
12:10:16:937 1752 IRP_MJ_READ : BA0E8D1F
12:10:16:937 1752 IRP_MJ_WRITE : BA0E8D1F
12:10:16:937 1752 IRP_MJ_QUERY_INFORMATION : 804F4562
12:10:16:937 1752 IRP_MJ_SET_INFORMATION : 804F4562
12:10:16:937 1752 IRP_MJ_QUERY_EA : 804F4562
12:10:16:953 1752 IRP_MJ_SET_EA : 804F4562
12:10:16:953 1752 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
12:10:16:953 1752 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_DEVICE_CONTROL : BA0E93BB
12:10:16:953 1752 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
12:10:16:953 1752 IRP_MJ_SHUTDOWN : BA0E92E2
12:10:16:953 1752 IRP_MJ_LOCK_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_CLEANUP : 804F4562
12:10:16:953 1752 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:10:16:953 1752 IRP_MJ_QUERY_SECURITY : 804F4562
12:10:16:953 1752 IRP_MJ_SET_SECURITY : 804F4562
12:10:16:953 1752 IRP_MJ_POWER : BA0EAC82
12:10:16:953 1752 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
12:10:16:953 1752 IRP_MJ_DEVICE_CHANGE : 804F4562
12:10:16:953 1752 IRP_MJ_QUERY_QUOTA : 804F4562
12:10:16:953 1752 IRP_MJ_SET_QUOTA : 804F4562
12:10:16:953 1752 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:10:16:953 1752
12:10:16:953 1752 Driver Name: Disk
12:10:16:953 1752 IRP_MJ_CREATE : BA0EEBB0
12:10:16:953 1752 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:10:16:953 1752 IRP_MJ_CLOSE : BA0EEBB0
12:10:16:953 1752 IRP_MJ_READ : BA0E8D1F
12:10:16:953 1752 IRP_MJ_WRITE : BA0E8D1F
12:10:16:953 1752 IRP_MJ_QUERY_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_SET_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_QUERY_EA : 804F4562
12:10:16:953 1752 IRP_MJ_SET_EA : 804F4562
12:10:16:953 1752 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
12:10:16:953 1752 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:10:16:953 1752 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_DEVICE_CONTROL : BA0E93BB
12:10:16:953 1752 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
12:10:16:953 1752 IRP_MJ_SHUTDOWN : BA0E92E2
12:10:16:953 1752 IRP_MJ_LOCK_CONTROL : 804F4562
12:10:16:953 1752 IRP_MJ_CLEANUP : 804F4562
12:10:16:953 1752 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:10:16:953 1752 IRP_MJ_QUERY_SECURITY : 804F4562
12:10:16:953 1752 IRP_MJ_SET_SECURITY : 804F4562
12:10:16:953 1752 IRP_MJ_POWER : BA0EAC82
12:10:16:953 1752 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
12:10:16:953 1752 IRP_MJ_DEVICE_CHANGE : 804F4562
12:10:16:953 1752 IRP_MJ_QUERY_QUOTA : 804F4562
12:10:16:953 1752 IRP_MJ_SET_QUOTA : 804F4562
12:10:16:953 1752 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:10:16:953 1752
12:10:16:953 1752 Driver Name: atapi
12:10:16:953 1752 IRP_MJ_CREATE : 8A637AC8
12:10:16:953 1752 IRP_MJ_CREATE_NAMED_PIPE : 8A637AC8
12:10:16:953 1752 IRP_MJ_CLOSE : 8A637AC8
12:10:16:953 1752 IRP_MJ_READ : 8A637AC8
12:10:16:953 1752 IRP_MJ_WRITE : 8A637AC8
12:10:16:953 1752 IRP_MJ_QUERY_INFORMATION : 8A637AC8
12:10:16:953 1752 IRP_MJ_SET_INFORMATION : 8A637AC8
12:10:16:953 1752 IRP_MJ_QUERY_EA : 8A637AC8
12:10:16:953 1752 IRP_MJ_SET_EA : 8A637AC8
12:10:16:953 1752 IRP_MJ_FLUSH_BUFFERS : 8A637AC8
12:10:16:953 1752 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A637AC8
12:10:16:953 1752 IRP_MJ_SET_VOLUME_INFORMATION : 8A637AC8
12:10:16:953 1752 IRP_MJ_DIRECTORY_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_FILE_SYSTEM_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_DEVICE_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_SHUTDOWN : 8A637AC8
12:10:16:953 1752 IRP_MJ_LOCK_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_CLEANUP : 8A637AC8
12:10:16:953 1752 IRP_MJ_CREATE_MAILSLOT : 8A637AC8
12:10:16:953 1752 IRP_MJ_QUERY_SECURITY : 8A637AC8
12:10:16:953 1752 IRP_MJ_SET_SECURITY : 8A637AC8
12:10:16:953 1752 IRP_MJ_POWER : 8A637AC8
12:10:16:953 1752 IRP_MJ_SYSTEM_CONTROL : 8A637AC8
12:10:16:953 1752 IRP_MJ_DEVICE_CHANGE : 8A637AC8
12:10:16:953 1752 IRP_MJ_QUERY_QUOTA : 8A637AC8
12:10:16:953 1752 IRP_MJ_SET_QUOTA : 8A637AC8
12:10:16:953 1752 Driver "atapi" infected by TDSS rootkit!
12:10:17:015 1752 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
12:10:17:015 1752 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:10:17:015 1752 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
12:10:17:015 1752 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:10:17:343 1752 vfvi6
12:10:17:453 1752 !dsvbh1
12:10:18:890 1752 dsvbh2
12:10:18:890 1752 fdfb2
12:10:18:890 1752 Backup copy found, using it..
12:10:18:890 1752 will be cured on next reboot
12:10:18:890 1752 Reboot required for cure complete..
12:10:18:968 1752 Cure on reboot scheduled successfully
12:10:18:968 1752
12:10:18:968 1752 Completed
12:10:18:968 1752
12:10:18:968 1752 Results:
12:10:18:968 1752 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:10:18:968 1752 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:10:18:968 1752 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:10:18:968 1752
12:10:18:968 1752 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:10:18:968 1752 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:10:18:968 1752 UnloadDriverW: NtUnloadDriver error 1
12:10:18:968 1752 KLMD(ARK) unloaded successfully

Edited by lpjunior, 13 April 2010 - 12:30 PM.


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 13 April 2010 - 02:48 PM

Let's see a few more steps smile.gif


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Macromedia shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 19.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report & a fresh dds.txt log.

Edited by Blade81, 13 April 2010 - 02:48 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 14 April 2010 - 12:04 PM

Alright, updated Java and Shockwave, ran ATF Cleaner. I scanned about 80% My Computer with Kaspersky but had to cut it short as it was getting to be about 4 in the AM. I'll do a full one if necessary but it did find some things.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 14, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 14, 2010 03:49:35
Records in database: 3941388
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 65154
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 01:49:09


File name / Threat / Threats count
C:\Program Files\DVDFab Platinum 4\DVDFabPlatinum.exe Infected: Trojan.Win32.Agent.cucn 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\40.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F.tmp Infected: EICAR-Test-File 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir Infected: Packed.Win32.Katusha.j 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

Scanning stopped by the user.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kyle at 3:53:43.85 on Wed 04/14/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1342 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\dell\E-center\gtb2.exe
c:\dell\E-center\gtb.exe
c:\dell\E-center\gtb2.exe
C:\Documents and Settings\Kyle\Desktop\World Peace\dds.scr
c:\dell\E-center\gtb.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ECenter] "c:\dell\e-center\gtb.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Acecad.Wtxpload] c:\windows\acecad\Wtxpload.exe Acecad
mRun: [ZPOINT32] c:\windows\system32\ZPOINT32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\kyle\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flashcapture\fciext.dll/FCIEXT.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
TCP: {ADBF6325-2452-48AD-BD26-5383565A85B6} = 205.171.3.65,205.171.2.65
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kyle\applic~1\mozilla\firefox\profiles\8jjit1oq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.co.in/search?btnG=Google+Search&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-11 24652]
S0 amcou;amcou;c:\windows\system32\drivers\txrmws.sys --> c:\windows\system32\drivers\txrmws.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-5-5 29184]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-12-13 42112]
S3 MR97310_VGA_DUAL_CAMERA;Digital Camera;c:\windows\system32\drivers\mr97310v.sys --> c:\windows\system32\drivers\mr97310v.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-14 06:36:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-12 01:13:03 0 d-----w- C:\Combo-Fix
2010-04-12 01:07:39 98816 ----a-w- c:\windows\sed.exe
2010-04-12 01:07:39 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 01:07:39 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 01:07:39 161792 ----a-w- c:\windows\SWREG.exe
2010-04-10 00:53:58 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-10 00:45:43 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-10 00:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-10 00:45:19 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 05:39:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-09 05:38:43 0 d-----w- c:\docume~1\kyle\applic~1\SUPERAntiSpyware.com
2010-04-09 05:38:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-08 18:28:08 0 d-sha-r- C:\cmdcons
2010-04-08 16:49:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-08 08:15:42 0 d-----w- C:\32788R22FWJFW(2)
2010-04-08 05:31:24 0 d---a-w- C:\cmdcons(2)

==================== Find3M ====================

2010-04-14 06:36:20 411368 -c--a-w- c:\windows\system32\deploytk.dll
2010-04-13 17:12:02 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-12 05:27:13 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 19:24:10 23084 ----a-w- c:\windows\hpqins15.dat

============= FINISH: 3:55:00.45 ===============


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 14 April 2010 - 12:11 PM

Hi,

It would be recommended to run a complete scan to see if there're other items found there.

Also, please run GMER again and post back its report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 lpjunior

lpjunior
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 15 April 2010 - 03:06 AM

Full scans run and attached.

Attached Files

  • Attached File  gmer.log   7.16KB   2 downloads
  • Attached File  KAR.txt   1.41KB   3 downloads


#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:39 AM

Posted 15 April 2010 - 10:53 AM

Hi,

Please run GMER again making sure that only "sections" checkbox is checked.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users