Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with an unknown Google link Re-director


  • This topic is locked This topic is locked
8 replies to this topic

#1 raymondcarter

raymondcarter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 15 May 2010 - 09:54 AM

Hello all;

So my problems started fairly suddenly. Last week my computer was getting the blue screen of death and would reset immediately after. I wasn't sure what was causing it and couldn't note any of the messages that showed up because the system would shut down so quickly.

At the same time I was having issues with various processes still running on my computer while shutting down. They are different each time.

Approximately 3-4 days ago my links in Google started being redirected. These are sites like other search engines, instant prize sites, those random hub link sites, etc. Occasionally new tabs open on their own which open up to those pages. Along with this the just-in time debugger keeps popping up constantly and I have no idea how to shut it off. Windows update is also blocked from my computer now. I've run multiple spyware checks (including in safe mode) and nothing seems to help. Any ideas would be appreciated!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:41:32.10 on Sat 05/15/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.943 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15438&l=dis
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [TheLaptopLock] c:\program files\the laptoplock\LaptopLock.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\office~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\office~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\cm889gj7.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-14 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25240]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2010-5-3 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2006-11-15 16384]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-14 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-14 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-14 56816]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-12 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-3 1769216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-14 38224]

=============== Created Last 30 ================

2010-05-15 02:01:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-15 02:01:43 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 13:34:59 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-05-13 21:28:58 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-05-13 05:19:52 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-13 05:19:21 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-13 05:19:21 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-05-13 05:09:44 54156 ---ha-w- c:\windows\QTFont.qfn
2010-05-13 05:09:44 1409 ----a-w- c:\windows\QTFont.for
2010-05-13 04:50:53 0 d-----w- c:\program files\Trend Micro
2010-05-12 03:25:36 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-12 03:12:36 171 ----a-w- c:\windows\system32\MRT.INI
2010-05-08 00:58:55 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-08 00:58:55 22016 ----a-w- c:\windows\system32\drivers\MSIRCOMM.sys
2010-05-07 04:52:02 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-07 04:40:35 0 d-----w- c:\program files\Rockstar Games
2010-05-05 15:31:30 0 d-----w- c:\program files\common files\xing shared
2010-05-05 15:30:51 0 d-----w- c:\program files\common files\Real
2010-05-05 00:27:47 0 d-----w- c:\docume~1\admini~1\applic~1\DeLorme
2010-05-05 00:20:49 0 d-----w- c:\program files\common files\DeLorme
2010-05-05 00:20:36 0 d-----w- c:\program files\DeLorme
2010-05-05 00:20:36 0 d-----w- C:\DeLorme Docs
2010-05-05 00:17:58 0 d-----w- c:\windows\system32\URTTEMP
2010-05-04 00:44:05 0 d-----w- C:\Stone
2010-05-04 00:26:32 9600 ----a-w- c:\windows\system32\drivers\ISODisk.sys
2010-05-04 00:26:32 0 d-----w- c:\program files\ISODisk
2010-05-02 22:28:52 0 d-----w- c:\program files\Nero
2010-05-02 22:28:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-05-02 00:23:28 0 d-----w- c:\program files\common files\EZB Systems
2010-05-02 00:23:27 0 d-----w- c:\program files\UltraISO
2010-04-22 03:39:50 223744 ----a-w- c:\windows\system32\CNMLM97.DLL
2010-04-16 17:04:56 0 d-----w- c:\program files\common files\L&H
2010-04-16 17:04:30 0 d-----w- c:\program files\Microsoft ActiveSync
2010-04-16 17:02:18 0 d-----w- c:\program files\Office 2003
2010-04-15 21:45:22 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2010-04-15 21:44:46 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-04-15 21:44:46 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2010-04-15 21:44:46 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-04-15 21:44:46 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-04-15 21:44:46 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-04-15 21:44:46 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-04-15 21:44:16 0 d-----w- c:\program files\HP
2010-04-15 21:43:38 79357 ----a-w- c:\windows\hpfins05.dat
2010-04-15 21:43:38 1350 ------w- c:\windows\hpfmdl05.dat
2010-04-15 21:43:32 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-04-15 21:43:32 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-04-15 21:43:32 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-04-15 21:43:00 77824 ----a-w- c:\windows\system32\hpzids01.dll
2010-04-15 21:43:00 372736 ----a-w- c:\windows\system32\hpzidi01.dll
2010-04-15 21:43:00 274432 ----a-w- c:\windows\system32\HPZc3212.dll

==================== Find3M ====================

2010-05-15 14:20:42 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-05-14 06:40:31 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-05-13 21:28:58 57752 ------w- c:\windows\system32\rpcnet.exe
2010-05-13 21:24:07 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-05-11 19:02:37 277240 ----a-w- c:\windows\system32\guard32.dll
2010-05-11 19:02:29 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-05-11 19:02:22 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-05-11 19:02:19 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 21:24:36 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-03-18 15:39:44 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 9:42:43.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 15 May 2010 - 07:04 PM

Hi raymondcarter,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 16 May 2010 - 09:01 AM

Hi Farbar;

Thank you for your help. I agree not to make any system changes during this period. Here is the output from TDLFix:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89886EE4]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 16 May 2010 - 11:10 AM

  1. Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type the following in the command window and press Enter:

      afd
    • The application shall restart the computer immediately and runs after restart.
    • In this case it reboots the computer once more. Please be patient and let the tool do the job
    • Tell me if the computer rebooted twice and ran to completion.

  2. After the tool finished the second reboot. Run TDLfix.exe, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#5 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 17 May 2010 - 04:56 AM

Hi Farbar;

I entered the AFD command. The computer reset and the tool started up and ran for a few seconds. It did not reset the computer a second time. I tried this again with the same results. Here is the output from the MBR command:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 17 May 2010 - 05:07 AM

The rootkit is taken care off. thumbup2.gif

Yes I had made some changes and the tool didn't needed to boot twice in Windows XP.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. See if you can update Windows now and tell me about it.



#7 raymondcarter

raymondcarter
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 17 May 2010 - 11:05 AM

Farbar;

Brilliance. Absolute brilliance. Thank you so much for your help, I'm not sure how you know what to go to so quickly but everything is running perfectly now. I just went though and installed every windows update available along with updates for all of my security running software.

Here is the Malaware log, let me know if I need to take any other action. Thank you again for your time and assistance.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4109

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/17/2010 9:31:32 AM
mbam-log-2010-05-17 (09-31-32).txt

Scan type: Quick scan
Objects scanned: 130182
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 17 May 2010 - 11:47 AM

You are most welcome raymondcarter. smile.gif

It looks good. thumbup2.gif
  1. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

  2. Run TDLfix.exe, type del and press Enter. It will delete the quarantined infected file and the tool itself.

  3. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  4. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Happy Surfing. smile.gif


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:35 AM

Posted 22 May 2010 - 06:56 PM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users