Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, fake virus warnings, Antivirus Plus popup, XP Security Center and other assorted issues


  • This topic is locked This topic is locked
16 replies to this topic

#1 hawk17

hawk17

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 April 2010 - 07:57 PM

Hi, I am having some major problems with my laptop and I figure I'd give this a try before wiping the drive clean. I've never seen anything like this.

Here are the problems:

First, when using Google, everything works fine until... I try clicking through the search results screen and onto one of the results. Some of them work and some of them don't. If I Google search the word "malware" for example, the search results will work normally. However, when i try to click one of the links -- say from malwarebytes for example -- I am redirected into a variety of sites including:

hxxp://76v84nks81.cc/JKA18q2P705y8ju6f6a27e01a816b90e7f4f47eb4fc3b2e907k (I broke up he link with dashes, I don't want anyone clicking it Deactivated link and dashes removed. ~ OB ) -- when trying to redirect me, SpySweeper said that it blocked a connection to www.malwaremovalbot. com

theclocktower. net is another site I am redirected to.

there are a bunch of them.. I can experiment and list more if needed.

Interestingly, if I right click on one of the search results and tell it to open in a new tab, it works successfully without redirect.

Next problem -- Google Chrome does not work at all. Chrome was my primary web browser, and now it simply won't work. When I try to search using it, nothing would happen. It would just lock up endlessly. I ended up uninstalling it and have not reinstalled it since.

Also, Firefox would not work either. I ended up uninstalling that too, and have not reinstalled it since.

I should add that when I was trying to fix this problem on my own, I uninstalled and reinstalled both Firefox and Chrome a few times before giving up, realizing that there was something seriously wrong and that merely reinstalling the programs would not fix it.

Internet Explorer works except for the Google redirect issue. However, it is ridiculously slow. Like almost unusably slow. Even typing this post out, it is taking a second or two before the words are even showing up on my screen.

Yet another problem... I am now getting the fake popups saying I have a problem. Here is a screenshot of one of the messages I am receiving about Antivirus Plus.



Also, I previously received a warning about XP Security Center. I have not seen that one come back in a while.

I don't know if this is one virus, or if I am getting hit with 1000 all at once. It's getting ridiculous.

My primary antivirus sofware is Webroot Spy Sweeper. I've used it for years and never had a problem with it until now. I believe this started when I went to mp3raid.com. I didn't even download anything, but my computer locked up and has since had the problems as mentioned above.

I have tried using Hitman 3.5, Spy Sweeper, Malwarebytes and Spybot. Nothing works. Malwarebytes at least detected a bunch of problems, but it apparently never successfully removed any of them. The other programs did not even detect a problem.

Thanks for any help you can provide.

Here is the dds log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Gary at 20:15:17.70 on Tue 04/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.267 [GMT -4:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Gary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CatcherBHO Class: {9b4df450-dcc7-4b07-935d-0cd757a64583} - c:\program files\moyea\youtube flv downloader\MoyeaCatcher.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [<NO NAME>]
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] "c:\progra~1\musicm~1\musicm~3\mimboot.exe"
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [BlackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] "c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: kodakgallery.com\www
Trusted Zone: musicmatch.com\online
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\anonymizer\anonymizer software\common\AnonMgmtSvc.exe [2008-11-17 37560]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-7 1201640]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-6 278384]

=============== Created Last 30 ================

2010-04-12 23:37:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 23:37:04 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 23:16:59 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-12 23:14:39 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-12 23:14:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-12 04:01:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-12 02:02:56 0 d-----w- c:\docume~1\gary\applic~1\Malwarebytes
2010-04-12 02:02:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-12 02:02:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 01:29:32 0 d-----w- c:\program files\Lavasoft
2010-03-28 14:33:39 150548 ----a-w- C:\ScooterNeverForget.jpg
2010-03-28 02:22:54 43810 ----a-w- C:\Scooter.jpg
2010-03-15 03:48:52 230732 ----a-w- C:\lgwc.gif

==================== Find3M ====================

2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2006-11-12 01:02:50 1534404 --sh--w- c:\windows\config\astnu.bak1
2006-11-12 15:18:39 1536401 --sh--w- c:\windows\config\astnu.bak2
2006-12-17 02:22:02 1579686 --sh--w- c:\windows\config\astnu.ini2
2007-04-21 04:44:32 56 --sh--r- c:\windows\system32\E1A991EAC7.sys
2007-04-21 04:44:33 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-21 00:39:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 20:17:28.37 ===============

Attached Files


Edited by Orange Blossom, 18 April 2010 - 09:10 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 18 April 2010 - 01:25 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 18 April 2010 - 05:51 PM

QUOTE(m0le @ Apr 18 2010, 02:25 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


thanks m0le, I'm still here and ready to follow your instructions.

thanks again for your help

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 18 April 2010 - 06:52 PM

This is the TDL3 rootkit. We can deal with this but there may be more malware under the surface.


Please search for another copy of the infected file, isapnp.sys

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    isapnp.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#5 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 18 April 2010 - 07:09 PM

QUOTE(m0le @ Apr 18 2010, 07:52 PM) View Post
This is the TDL3 rootkit. We can deal with this but there may be more malware under the surface.


Please search for another copy of the infected file, isapnp.sys

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    isapnp.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Done, here is the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:04 on 18/04/2010 by Gary (Administrator - Elevation successful)

========== filefind ==========

Searching for "isapnp.sys"
C:\i386\isapnp.sys --a--- 35840 bytes [15:24 10/12/2005] [19:58 17/08/2001] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\$NtServicePackUninstall$\isapnp.sys -----c 35840 bytes [23:21 20/09/2008] [19:58 17/08/2001] E504F706CCB699C2596E9A3DA1596E87
C:\WINDOWS\ServicePackFiles\i386\isapnp.sys ------ 37248 bytes [22:08 04/09/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\drivers\isapnp.sys --a--- 37248 bytes [19:58 17/08/2001] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\isapnp.sys --a--- 35840 bytes [04:10 17/11/2005] [19:58 17/08/2001] E504F706CCB699C2596E9A3DA1596E87

-=End Of File=-

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 19 April 2010 - 11:02 AM

Okay, now we remove the infected file in three steps

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\isapnp.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren isapnp.sys isapnp.vir and press Enter.
Then type copy C:\isapnp.sys isapnp.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer and post the log.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 20 April 2010 - 11:33 AM

QUOTE(m0le @ Apr 19 2010, 12:02 PM) View Post
Okay, now we remove the infected file in three steps

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\isapnp.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren isapnp.sys isapnp.vir and press Enter.
Then type copy C:\isapnp.sys isapnp.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer and post the log.

Thanks thumbup2.gif


Hi, I did not have combofix downloaded, but your post made it seem like I should so that I could access the recovery console. Anyway, I downloaded it, ran the recovery console and made the changes you instructed.

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 12:28:12
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 86CFBF30 ZwAllocateVirtualMemory
SSDT 86DAF9F0 ZwCreateKey
SSDT 86DAF198 ZwCreateProcess
SSDT 86D8D2C8 ZwCreateProcessEx
SSDT 86DA5190 ZwCreateThread
SSDT 86D74020 ZwDeleteKey
SSDT 86D5F9C8 ZwDeleteValueKey
SSDT 86CFBFA8 ZwQueueApcThread
SSDT 86CFBE40 ZwReadVirtualMemory
SSDT 86DE1178 ZwRenameKey
SSDT 86D47498 ZwSetContextThread
SSDT 86DA92C8 ZwSetInformationKey
SSDT 86DA4020 ZwSetInformationProcess
SSDT 86D47510 ZwSetInformationThread
SSDT 86DCB3B8 ZwSetValueKey
SSDT 86DA5208 ZwSuspendProcess
SSDT 86CFB020 ZwSuspendThread
SSDT 86D88898 ZwTerminateProcess
SSDT 86D47588 ZwTerminateThread
SSDT 86CFBEB8 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[508] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe[1108] KERNEL32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10005230 C:\Program Files\Anonymizer\Anonymizer Software\Common\Anx.System.dll (rscoree/Remotesoft, Inc.)
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2688] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2700] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 86AC0300

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp 86AC0300
Device \Driver\Tcpip \Device\Udp 86AC0300
Device \Driver\Tcpip \Device\RawIp 86AC0300
Device \Driver\Tcpip \Device\IPMULTICAST 86AC0300
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat A7AACD20

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 20 April 2010 - 03:46 PM

That's a better Gmer log. Yes, I should have asked you to download Combofix first.

Please now run Combofix as below:
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 20 April 2010 - 05:56 PM

Ok, I ran Combofix. Here's the log it generated:

ComboFix 10-04-19.08 - Gary 04/20/2010 18:17:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.481 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Config\astnu.bak1
c:\windows\Config\astnu.bak2
c:\windows\Config\astnu.ini
c:\windows\Config\astnu.ini2
c:\windows\Config\astnu.tmp
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD


((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 00:37 . 2010-04-20 00:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-20 00:34 . 2010-04-20 00:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-19 23:58 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-19 23:58 . 2008-04-13 18:36 37248 ----a-w- C:\isapnp.sys
2010-04-19 02:51 . 2010-04-19 02:51 -------- d-----w- c:\documents and settings\Gary\Application Data\MSNInstaller
2010-04-13 01:11 . 2010-04-13 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-12 23:37 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 23:37 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 23:16 . 2010-04-12 23:16 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-12 23:14 . 2010-04-12 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-12 23:14 . 2010-04-12 23:14 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-12 04:01 . 2010-04-12 04:01 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-12 02:02 . 2010-04-12 02:02 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2010-04-12 02:02 . 2010-04-12 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 02:02 . 2010-04-12 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 01:29 . 2010-04-13 01:44 -------- d-----w- c:\program files\Lavasoft
2010-04-12 00:22 . 2010-04-12 00:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 22:33 . 2008-12-13 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-04-13 03:46 . 2006-04-19 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-13 03:21 . 2006-04-19 02:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 01:50 . 2008-08-04 22:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-12 01:29 . 2006-04-16 17:58 -------- d-----w- c:\documents and settings\Gary\Application Data\Lavasoft
2010-04-11 12:56 . 2009-02-18 01:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-11 12:50 . 2005-12-21 22:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-29 02:38 . 2006-10-16 00:15 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-12 02:16 . 2009-11-28 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-05 04:24 . 2010-03-05 04:22 -------- d-----w- c:\documents and settings\Gary\Application Data\U3
2010-03-04 02:22 . 2010-03-04 02:22 -------- d-----w- c:\program files\Microsoft
2010-03-04 02:22 . 2010-03-04 02:20 -------- d-----w- c:\program files\Windows Live
2010-03-04 02:21 . 2010-03-04 02:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-04 02:17 . 2010-03-04 02:17 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-25 06:24 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-21 18:01 . 2005-11-17 04:21 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 18:01 . 2010-02-21 18:01 348160 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44e771b2-n\msvcr71.dll
2010-02-21 18:01 . 2010-02-21 18:00 503808 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44e771b2-n\msvcp71.dll
2010-02-21 18:00 . 2010-02-21 18:00 61440 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7b1ce68a-n\decora-sse.dll
2010-02-21 18:00 . 2010-02-21 18:00 499712 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-44e771b2-n\jmc.dll
2010-02-21 18:00 . 2010-02-21 18:00 12800 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7b1ce68a-n\decora-d3d.dll
2010-02-21 17:59 . 2005-11-17 04:21 -------- d-----w- c:\program files\Java
2010-02-10 06:46 . 2010-02-10 06:46 152576 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-10 06:46 . 2010-02-10 06:46 79488 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2006-04-10 00:42 . 2006-04-10 00:35 506156 --sh--w- c:\windows\system32\cdeeg.tmp
2007-04-21 04:44 . 2006-01-17 01:07 56 --sh--r- c:\windows\system32\E1A991EAC7.sys
2007-04-21 04:44 . 2006-01-17 01:07 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-06-21 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-10-31 623960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-3-6 1421328]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=
"c:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:*:Disabled:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:*:Disabled:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:*:Disabled:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:*:Disabled:MioNet Storage Device Discovery
"9322:TCP"= 9322:TCP:EKDiscovery

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 5:02 PM 29808]
R2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [11/17/2008 4:58 PM 37560]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 1:49 PM 284016]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [12/7/2008 2:22 AM 1201640]
.
Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: kodakgallery.com\www
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1500)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\WININET.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\SSU.EXE
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-20 18:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-20 22:47

Pre-Run: 771,293,184 bytes free
Post-Run: 1,818,578,944 bytes free

- - End Of File - - 3088B33BB39FCB2022D35BC016AC9D4E


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 20 April 2010 - 06:07 PM

Please run ESET's online scanner to clear any remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 21 April 2010 - 06:17 AM

QUOTE(m0le @ Apr 20 2010, 07:07 PM) View Post
Please run ESET's online scanner to clear any remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.


I did not ask ESET Scanner to remove any threats. If I should have done that, let me know and I'll run it again. Anyway, here is the log. Thanks.

C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\6.0\47\4934abef-32ffd5b4 a variant of Java/TrojanDownloader.Agent.NAC trojan
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.bak1.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.bak2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.tmp.vir Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\cdeeg.tmp Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\system32\drivers\isapnp.vir Win32/Olmarik.XG trojan


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 21 April 2010 - 02:05 PM

Yes, run it again and remove anything found. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 21 April 2010 - 10:16 PM

QUOTE(m0le @ Apr 21 2010, 03:05 PM) View Post
Yes, run it again and remove anything found. thumbup2.gif


Yeah, I should have figured that. I ran it again, here's the log:

C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\6.0\1\d86bd01-6c8c94ba Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Documents and Settings\Gary\Application Data\Sun\Java\Deployment\cache\6.0\47\4934abef-32ffd5b4 a variant of Java/TrojanDownloader.Agent.NAC trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.bak1.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.bak2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Config\astnu.tmp.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\cdeeg.tmp Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\isapnp.vir Win32/Olmarik.XG trojan cleaned - quarantined


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 22 April 2010 - 06:29 PM

That looks good. smile.gif

How is the PC now?
Posted Image
m0le is a proud member of UNITE

#15 hawk17

hawk17
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 22 April 2010 - 06:45 PM

QUOTE(m0le @ Apr 22 2010, 07:29 PM) View Post
That looks good. smile.gif

How is the PC now?


Amazing. Firefox is now working perfectly, and there appears to be zero Google redirecting. Everything's running quickly.

Thanks for all of your help! I was seriously going to erase the drive but it now looks like I don't need to after all.

Edited by hawk17, 22 April 2010 - 06:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users