Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Redirect victim


  • This topic is locked This topic is locked
11 replies to this topic

#1 IHatehacks

IHatehacks

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 16 April 2010 - 12:11 AM

It seems I have gotten the redirect, rootkit w.e it is so heres the basics. Thanks for any help provided.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Derek at 0:48:05.75 on Fri 04/16/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.459 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Derek\My Documents\Downloads\OTL.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Derek\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-MqD8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\derek\applic~1\mozilla\firefox\profiles\o1y3da43.default\
FF - prefs.js: browser.startup.homepage - aol.com
FF - plugin: c:\documents and settings\derek\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-26 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]

=============== Created Last 30 ================

2010-04-15 01:18:00 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-13 19:42:26 0 d-----w- c:\program files\Trend Micro
2010-04-08 03:13:49 0 d-----w- c:\docume~1\derek\applic~1\PCF-VLC
2010-04-08 01:43:05 0 d-----w- c:\docume~1\derek\applic~1\Participatory Culture Foundation
2010-04-08 01:42:23 0 d-----w- c:\program files\Search Toolbar
2010-04-08 01:42:21 0 d-----w- c:\program files\Miro
2010-04-08 01:41:05 0 d-----w- c:\program files\Participatory Culture Foundation
2010-04-05 05:54:37 0 d-----w- c:\program files\PokerStars
2010-03-26 06:01:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-26 05:16:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-26 05:16:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-26 05:15:53 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:21:20 1506304 ----a-w- c:\windows\system32\SET486.tmp
2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\SET493.tmp
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\SET482.tmp
2010-02-26 06:12:23 624640 ----a-w- c:\windows\system32\SET483.tmp
2010-02-26 06:12:22 474112 ----a-w- c:\windows\system32\SET485.tmp
2010-02-26 06:12:20 3065344 ----a-w- c:\windows\system32\SET48B.tmp
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-25 11:01:00 352768 ----a-w- c:\windows\system32\SET495.tmp
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\SET50E.tmp

============= FINISH: 0:48:22.09 ===============


I have an OTL log as well as a GMER but I think I have to redo the GMER because i didnt uncheck iat/eat unless thats ok.

Attached Files



BC AdBot (Login to Remove)

 


#2 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 16 April 2010 - 08:02 PM

any help ? or do you need more information?

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 17 April 2010 - 11:14 PM.


#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:38 AM

Posted 19 April 2010 - 11:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#4 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 19 April 2010 - 02:45 PM

Hi, thank you for the help and reply.
As for more specifics, I have been getting redirected on all search engine sites with a few popups and have experienced a slower pc and slower internet especially videos.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Derek at 14:55:13.89 on Mon 04/19/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.424 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Derek\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-MqD8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\derek\applic~1\mozilla\firefox\profiles\o1y3da43.default\
FF - prefs.js: browser.startup.homepage - aol.com
FF - plugin: c:\documents and settings\derek\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-26 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]

=============== Created Last 30 ================

2010-04-19 05:21:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-15 01:18:00 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-13 19:42:26 0 d-----w- c:\program files\Trend Micro
2010-04-08 03:13:49 0 d-----w- c:\docume~1\derek\applic~1\PCF-VLC
2010-04-08 01:43:05 0 d-----w- c:\docume~1\derek\applic~1\Participatory Culture Foundation
2010-04-08 01:42:23 0 d-----w- c:\program files\Search Toolbar
2010-04-08 01:42:21 0 d-----w- c:\program files\Miro
2010-04-08 01:41:05 0 d-----w- c:\program files\Participatory Culture Foundation
2010-04-05 05:54:37 0 d-----w- c:\program files\PokerStars
2010-03-26 06:01:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-26 05:16:47 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-26 05:16:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-26 05:15:53 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 14:55:42.51 ===============

Attached Files



#5 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 25 April 2010 - 06:17 PM

Hi I know im not supposed to bump but it has been a week I was wondering if anyone has had a chance to look at my logs. Thanks

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:38 AM

Posted 26 April 2010 - 09:36 PM

Hi IHatehacks,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log

Let me know if you have any remaining issues on your pc.

#7 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 26 April 2010 - 10:42 PM

1. Tdss log

23:03:11:171 1260 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:03:11:171 1260 ================================================================================
23:03:11:171 1260 SystemInfo:

23:03:11:171 1260 OS Version: 5.1.2600 ServicePack: 2.0
23:03:11:171 1260 Product type: Workstation
23:03:11:171 1260 ComputerName: MY-01CF75F15D39
23:03:11:171 1260 UserName: Derek
23:03:11:171 1260 Windows directory: C:\WINDOWS
23:03:11:171 1260 Processor architecture: Intel x86
23:03:11:171 1260 Number of processors: 1
23:03:11:171 1260 Page size: 0x1000
23:03:11:171 1260 Boot type: Normal boot
23:03:11:171 1260 ================================================================================
23:03:11:171 1260 UnloadDriverW: NtUnloadDriver error 2
23:03:11:171 1260 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:03:11:187 1260 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:03:11:187 1260 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:03:11:187 1260 wfopen_ex: Trying to KLMD file open
23:03:11:187 1260 wfopen_ex: File opened ok (Flags 2)
23:03:11:187 1260 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:03:11:187 1260 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:03:11:187 1260 wfopen_ex: Trying to KLMD file open
23:03:11:187 1260 wfopen_ex: File opened ok (Flags 2)
23:03:11:187 1260 Initialize success
23:03:11:187 1260
23:03:11:187 1260 Scanning Services ...
23:03:12:000 1260 Raw services enum returned 317 services
23:03:12:015 1260
23:03:12:015 1260 Scanning Kernel memory ...
23:03:12:015 1260 Devices to scan: 2
23:03:12:015 1260
23:03:12:015 1260 Driver Name: Disk
23:03:12:015 1260 IRP_MJ_CREATE : F7642C30
23:03:12:015 1260 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:03:12:015 1260 IRP_MJ_CLOSE : F7642C30
23:03:12:015 1260 IRP_MJ_READ : F763CD9B
23:03:12:015 1260 IRP_MJ_WRITE : F763CD9B
23:03:12:015 1260 IRP_MJ_QUERY_INFORMATION : 804F3418
23:03:12:015 1260 IRP_MJ_SET_INFORMATION : 804F3418
23:03:12:015 1260 IRP_MJ_QUERY_EA : 804F3418
23:03:12:015 1260 IRP_MJ_SET_EA : 804F3418
23:03:12:015 1260 IRP_MJ_FLUSH_BUFFERS : F763D366
23:03:12:015 1260 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:03:12:015 1260 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:03:12:015 1260 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:03:12:015 1260 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:03:12:015 1260 IRP_MJ_DEVICE_CONTROL : F763D44D
23:03:12:015 1260 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7640FC3
23:03:12:015 1260 IRP_MJ_SHUTDOWN : F763D366
23:03:12:015 1260 IRP_MJ_LOCK_CONTROL : 804F3418
23:03:12:015 1260 IRP_MJ_CLEANUP : 804F3418
23:03:12:015 1260 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:03:12:015 1260 IRP_MJ_QUERY_SECURITY : 804F3418
23:03:12:015 1260 IRP_MJ_SET_SECURITY : 804F3418
23:03:12:015 1260 IRP_MJ_POWER : F763EEF3
23:03:12:015 1260 IRP_MJ_SYSTEM_CONTROL : F7643A24
23:03:12:015 1260 IRP_MJ_DEVICE_CHANGE : 804F3418
23:03:12:015 1260 IRP_MJ_QUERY_QUOTA : 804F3418
23:03:12:015 1260 IRP_MJ_SET_QUOTA : 804F3418
23:03:12:046 1260 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:03:12:046 1260
23:03:12:046 1260 Driver Name: atapi
23:03:12:046 1260 IRP_MJ_CREATE : F7449572
23:03:12:046 1260 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:03:12:046 1260 IRP_MJ_CLOSE : F7449572
23:03:12:046 1260 IRP_MJ_READ : 804F3418
23:03:12:046 1260 IRP_MJ_WRITE : 804F3418
23:03:12:046 1260 IRP_MJ_QUERY_INFORMATION : 804F3418
23:03:12:046 1260 IRP_MJ_SET_INFORMATION : 804F3418
23:03:12:046 1260 IRP_MJ_QUERY_EA : 804F3418
23:03:12:046 1260 IRP_MJ_SET_EA : 804F3418
23:03:12:046 1260 IRP_MJ_FLUSH_BUFFERS : 804F3418
23:03:12:046 1260 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:03:12:046 1260 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:03:12:046 1260 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:03:12:046 1260 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:03:12:046 1260 IRP_MJ_DEVICE_CONTROL : F7449592
23:03:12:046 1260 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74457B4
23:03:12:046 1260 IRP_MJ_SHUTDOWN : 804F3418
23:03:12:046 1260 IRP_MJ_LOCK_CONTROL : 804F3418
23:03:12:046 1260 IRP_MJ_CLEANUP : 804F3418
23:03:12:046 1260 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:03:12:046 1260 IRP_MJ_QUERY_SECURITY : 804F3418
23:03:12:046 1260 IRP_MJ_SET_SECURITY : 804F3418
23:03:12:046 1260 IRP_MJ_POWER : F74495BC
23:03:12:046 1260 IRP_MJ_SYSTEM_CONTROL : F7450164
23:03:12:046 1260 IRP_MJ_DEVICE_CHANGE : 804F3418
23:03:12:046 1260 IRP_MJ_QUERY_QUOTA : 804F3418
23:03:12:046 1260 IRP_MJ_SET_QUOTA : 804F3418
23:03:12:078 1260 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
23:03:12:078 1260
23:03:12:078 1260 Completed
23:03:12:078 1260
23:03:12:078 1260 Results:
23:03:12:078 1260 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:03:12:078 1260 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:03:12:078 1260 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:03:12:078 1260
23:03:12:078 1260 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:03:12:078 1260 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:03:12:078 1260 KLMD(ARK) unloaded successfully



2. combofix log:

ComboFix 10-04-26.02 - Derek 04/26/2010 23:29:02.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.415 [GMT -5:00]
Running from: c:\documents and settings\Derek\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\spool\prtprocs\w32x86\000029b6.tmp

.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-19 05:21 . 2010-04-19 05:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-19 05:21 . 2010-04-19 05:21 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-04-19 05:21 . 2010-04-19 05:21 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-19 05:21 . 2010-04-19 05:21 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-04-19 05:21 . 2010-04-19 05:21 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-04-19 05:21 . 2010-04-19 05:21 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-04-19 05:21 . 2010-04-19 05:21 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-04-19 05:21 . 2010-04-19 05:21 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-04-13 19:42 . 2010-04-13 19:42 -------- d-----w- c:\program files\Trend Micro
2010-04-08 03:13 . 2010-04-08 03:13 -------- d-----w- c:\documents and settings\Derek\Application Data\PCF-VLC
2010-04-08 01:43 . 2010-04-08 01:43 -------- d-----w- c:\documents and settings\Derek\Application Data\Participatory Culture Foundation
2010-04-08 01:42 . 2010-04-08 01:42 -------- d-----w- c:\program files\Miro
2010-04-08 01:41 . 2010-04-08 01:41 -------- d-----w- c:\program files\Participatory Culture Foundation
2010-04-05 05:54 . 2010-04-25 02:05 -------- d-----w- c:\program files\PokerStars

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 04:28 . 2009-08-26 03:07 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-27 03:54 . 2006-03-15 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-15 01:18 . 2009-10-27 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 05:32 . 2007-08-22 20:13 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-05 22:07 . 2009-08-26 01:38 -------- d-----w- c:\program files\PokerStars.NET
2010-03-30 22:17 . 2007-01-05 22:15 -------- d-----w- c:\program files\EA SPORTS
2010-03-26 05:16 . 2010-03-26 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-04 15:52 . 2010-03-26 06:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-18 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-18 688217]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-2-11 113664]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-12 45056]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/26/2010 12:16 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1265264]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmd21
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:20]

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-MqD8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\o1y3da43.default\
FF - prefs.js: browser.startup.homepage - aol.com
FF - plugin: c:\documents and settings\Derek\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
SafeBoot-klmdb.sys
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 23:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-26 23:33:46
ComboFix-quarantined-files.txt 2010-04-27 04:33

Pre-Run: 58,666,676,224 bytes free
Post-Run: 58,754,899,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - DED6A359290EDD5D0307A492A5FA96F8


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:38 AM

Posted 27 April 2010 - 12:15 AM

Hi IHatehacks,



I notice there are some unwanted program installed in your system. Those unwanted programs sometimes are malware related or potential hazard to your security. You're well advised to remove them.

Click Start > Settings > Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight

Full Tilt Poker
PokerStars
PokerStars.net
Search Toolbar

and click on Change/Remove to remove it.

Step1

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step2

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 20 (JDK or JRE)".
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 2

  12. Click the Remove or Change/Remove button.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  16. After that, please clear your java cache as instructed in this thread .


Step3

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step4

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.MBAM log
2.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.


#9 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 April 2010 - 09:39 PM

Thanks for the quick reply I just have one question as to why Fulltilt and pokerstars are recommended to be deleted? I play a lot of online poker and thought these were both safe reputable sites to play on.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4043

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/27/2010 7:26:28 PM
mbam-log-2010-04-27 (19-26-28).txt

Scan type: Quick scan
Objects scanned: 120921
Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 27, 2010 22:09:30
Records in database: 3990595
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 56668
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:05:51


File name / Threat / Threats count
C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\14\731a3a4e-6f3e0d26 Infected: Trojan-Downloader.Java.Agent.aw 1
C:\Documents and Settings\Derek\Shared\06 Track 6 (dirty).wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\000029b6.tmp.vir Infected: Trojan.Win32.Agent.dnud 1

Selected area has been scanned.



#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:38 AM

Posted 27 April 2010 - 09:56 PM

Hi IHatehacks,



QUOTE
why Fulltilt and pokerstars are recommended to be deleted..

For more info: go to Here and Here .

Go to Start > Run and copy/paste the following bolded text into the Run box and click OK:

cmd /c del /a/f/q "C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\14\731a3a4e-6f3e0d26 "

A DOS window will open and close again, this is normal. Repeat for the following:

cmd /c del /a/f/q "C:\Documents and Settings\Derek\Shared\06 Track 6 (dirty).wma"

Other than that, your system appears to be clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Please delete all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#11 IHatehacks

IHatehacks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 27 April 2010 - 10:10 PM

everything seems fine now thanks for the help

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:38 AM

Posted 02 May 2010 - 02:02 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users