Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google redirect virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 lemmingpolka

lemmingpolka

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 15 May 2010 - 10:06 AM

Here is a link to my original post:

http://www.bleepingcomputer.com/forums/t/316613/complete-alureonh-removal/

I was experiencing probs when Google links were redirecting to dodgy virus-ridden sites. Microsoft Malicious Software Removal said that it had partially removed the Alureon.h virus. Malware Bytes located and removed browser hijacker.exe but Google pages are still redirecting :-(

I had to run Gmer in safe mode due to constant crashes. The virus is also making my PC very slow and unstable.

I would be ever so grateful for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 15 May 2010 - 06:52 PM

Hi lemmingpolka,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
      Right-click TDLfix.exe and select "run as administrator", type the following in the command window and press Enter:

      mbr

      A log file opens up. please post the content to your reply.

Edited by farbar, 15 May 2010 - 06:55 PM.


#3 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 15 May 2010 - 08:01 PM

Hi Farbar,

Thank you very much for your help - it is greatly appreciated. :-)

Here are the results of the scan:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x863C7EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8520d1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Many thanks,

Lemmingpolka

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 15 May 2010 - 08:29 PM

Besides a a TDSS/TDL rootkit infection we are sure of the log shows possible MBR infection.

Before taking any action we want to make sure of the possibility.
  1. Please uninstall Daemon tool as it interferes with our tools and leads to false positive. You may install it later on when we are done.

  2. Reboot the computer.

  3. Then run TDLfix.exe as Admin and make a fresh mbr log by typing mbr and pressing Enter. Please post the log.

  4. Tell me if you have the Windows Vista installation DVD in case we needed it.


#5 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 16 May 2010 - 07:59 AM

I have completed the steps below....

1. Done

2. Done

3. Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86427EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8520c1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

4. I have an Acer laptop which did not come with the Vista installation CD or recovery disc :-(

Thanks again for your assistance.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 16 May 2010 - 11:04 AM

We need to make a Boot CD to be able to handle the MBR rootkit, unless you have another computer we can make the Boot CD later on.
  1. We need to create a Boot CD
  2. Download BurnCDCC
  3. To test if the Boot CD works Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
    • Please be patient as "Windows" loads.
    • Your system should now display a REATOGO-X-PE desktop.
      Note: In case you did not get this screen your computer is not set to boot from CD-ROM and you should change the BIOS set up as describe in How to Set BIOS to Boot from CDROM
    • If you get to the Desktop shut down the computer, remove the CD and let the computer boot. Tell me if this is done.


#7 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 16 May 2010 - 02:51 PM

Thanks for your reply Farbar.

Quick question... do you recommend making the boot CD from this infected laptop - I am asking this as I have another laptop that I could make the boot CD from but it is running Windows 7, not sure if that makes a difference?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 16 May 2010 - 04:13 PM

It is proffered to make it on the other laptop. Select the lowest speed when making it.

#9 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 16 May 2010 - 05:07 PM

All done.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 16 May 2010 - 05:10 PM

Just to make sure, did you checked to see if the Boot CD could boot?

#11 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 17 May 2010 - 01:29 PM

I have tested the boot CD and the computer sounds as though it is booting from the CD-ROM drive as I can hear it trying to load from the drive about three times - it then makes a lot of noise (sounds like a motorbike starting up) and Windows starts loading. However, the REATOGO-X-PE desktop is not displayed on the desktop... does this mean that it didn't work?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 17 May 2010 - 04:28 PM

Either the computer is not booting from CD or the CD is not readable. With the sound you hear I fear for the latter. If the CD is readable you can open it when windows is booted and see the content of it.

Anyway I was looking for something to add to the CD (as it is a Windows XP boot CD) to do the task we want. We can do many thing with the Boot CD but we can not run the FixMBR command we need to run.

Let's now take care of the other rootkit then think of something else:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 18 May 2010 - 10:12 AM

Hi Farbar,

Please find attached the Combofix log, as requested.

Lemmingpolka

Attached Files



#14 lemmingpolka

lemmingpolka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 18 May 2010 - 10:13 AM

Just noticed that you asked for me to copy/paste the log...

ComboFix 10-05-16.05 - Acer 18/05/2010 15:48:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.851 [GMT 1:00]
Running from: c:\users\Acer\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\lJLmj6.jpg
c:\users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\maK5j0b.jpg
c:\users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\pMYM0.jpg
c:\users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\pXb88yMXo.jpg
c:\users\Acer\AppData\Roaming\Microsoft\Windows\Recent\All you need for a good idea is to open the shower door.docx
c:\users\Acer\AppData\Roaming\Microsoft\Windows\Recent\Bathroom Cabinets.docx
c:\users\Acer\AppData\Roaming\Microsoft\Windows\Recent\Shower your world.docx
c:\users\Acer\lame_enc_en.dll
c:\users\Acer\lametritonus_en.dll
c:\windows\system32\install.exe
c:\windows\Temp\log.txt

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 15:00 . 2010-05-18 15:00 -------- d-----w- c:\users\Acer\AppData\Local\temp
2010-05-18 15:00 . 2010-05-18 15:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-17 13:40 . 2010-05-17 18:10 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-14 22:14 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-13 16:19 . 2010-05-13 16:31 -------- d-----w- c:\programdata\Hitman Pro
2010-05-09 17:28 . 2010-05-09 17:28 680 ----a-w- c:\users\Acer\AppData\Local\d3d9caps.dat
2010-05-05 20:39 . 2010-05-05 20:39 -------- d-----w- c:\programdata\Lencom
2010-05-05 20:39 . 2010-05-05 20:39 -------- d-----w- c:\users\Acer\AppData\Local\Xenocode
2010-05-05 20:35 . 2010-05-12 21:47 -------- d-----w- c:\users\Acer\AppData\Roaming\Lencom
2010-05-05 20:35 . 2010-05-05 20:36 -------- d-----w- c:\program files\Common Files\LencomShare
2010-05-05 20:35 . 2010-05-05 20:35 -------- d-----w- c:\program files\Lencom Software Inc
2010-05-05 15:51 . 2010-02-03 17:07 2337199 ----a-w- c:\programdata\{8B34E60E-B920-4842-A8F3-147D22CE2F96}\email-extractor-setup.exe
2010-05-05 15:51 . 2010-05-14 21:28 -------- d-----w- c:\program files\WebPro Email Extractor
2010-05-05 15:51 . 2010-05-05 15:51 -------- d--h--w- c:\programdata\{8B34E60E-B920-4842-A8F3-147D22CE2F96}
2010-05-05 15:51 . 2010-02-03 17:05 203264 ----a-w- c:\programdata\{8B34E60E-B920-4842-A8F3-147D22CE2F96}\offline\226C5B69\F6AD8F6F\EmailExtractor.exe
2010-05-05 15:51 . 2005-07-03 02:11 45056 ----a-w- c:\programdata\{8B34E60E-B920-4842-A8F3-147D22CE2F96}\offline\E89DE15C\F6AD8F6F\AxInterop.SHDocVw.dll
2010-05-05 15:51 . 2005-07-03 01:11 126976 ----a-w- c:\programdata\{8B34E60E-B920-4842-A8F3-147D22CE2F96}\offline\F86DCD7F\302B7A71\Interop.SHDocVw.dll
2010-04-27 13:28 . 2010-04-27 13:28 -------- d-----w- c:\users\Acer\AppData\Local\Yahoo
2010-04-27 13:25 . 2010-03-19 16:46 607544 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-04-27 00:19 . 2010-04-27 00:19 56 ---ha-w- c:\windows\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 14:35 . 2008-10-31 22:28 -------- d-----w- c:\users\Acer\AppData\Roaming\DNA
2010-05-18 14:22 . 2008-10-31 22:28 -------- d-----w- c:\program files\DNA
2010-05-17 03:33 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-17 03:32 . 2008-02-09 06:05 -------- d-----w- c:\programdata\Microsoft Help
2010-05-16 20:34 . 2008-10-31 22:28 -------- d-----w- c:\users\Acer\AppData\Roaming\BitTorrent
2010-05-14 21:28 . 2010-01-30 02:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 20:39 . 2009-11-30 14:20 99231 ----a-w- c:\program files\Common Files\Engines.lnl
2010-04-28 01:34 . 2008-09-20 10:55 -------- d-----w- c:\users\Acer\AppData\Roaming\Skype
2010-04-27 23:04 . 2008-09-20 10:57 -------- d-----w- c:\users\Acer\AppData\Roaming\skypePM
2010-04-27 13:28 . 2008-09-15 12:40 -------- d-----w- c:\users\Acer\AppData\Roaming\Yahoo!
2010-04-27 13:25 . 2008-09-12 20:16 -------- d-----w- c:\programdata\Yahoo!
2010-04-16 17:10 . 2010-04-16 17:10 -------- d-----w- c:\program files\Mind Pioneer
2010-04-13 18:28 . 2010-04-13 18:27 -------- d-----w- c:\program files\The Rosetta Stone
2010-04-13 18:26 . 2010-04-13 17:22 -------- d-----w- c:\users\Acer\AppData\Roaming\DAEMON Tools Lite
2010-04-13 17:46 . 2010-04-13 17:46 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-13 17:22 . 2010-04-13 17:22 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-04-07 14:06 . 2010-04-07 14:06 -------- d-----w- c:\program files\oDesk
2010-04-02 12:06 . 2009-06-21 14:16 -------- d-----w- c:\program files\McAfee
2010-03-31 14:53 . 2010-03-31 14:53 1925088 ----a-w- c:\users\Acer\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-03-27 15:50 . 2010-03-26 21:19 -------- d-----w- c:\users\Acer\AppData\Roaming\YouSendIt
2010-03-26 21:18 . 2008-02-09 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 21:17 . 2010-03-26 21:17 -------- d-----w- c:\program files\YouSendIt
2010-03-26 09:33 . 2010-04-14 22:29 1496064 ----a-w- c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 09:33 . 2010-04-14 22:29 43008 ----a-w- c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 09:33 . 2010-04-14 22:29 339456 ----a-w- c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 09:32 . 2010-04-14 22:29 346112 ----a-w- c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-22 21:07 . 2010-03-22 21:07 -------- d-----w- c:\program files\AMS Beauty Studio
2010-03-05 14:01 . 2010-04-14 18:48 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 13:37 . 2008-08-23 21:22 124768 ----a-w- c:\users\Acer\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 11:00 . 2008-12-11 00:46 2724 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-23 11:32 . 2010-04-14 18:49 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-04-14 18:49 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-04-14 18:49 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 12:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 12:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 12:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 12:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:39 . 2010-03-13 03:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-13 03:43 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-13 03:43 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 14:49 . 2010-04-14 18:48 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:49 . 2010-04-14 18:48 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49 . 2010-04-14 18:48 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11 . 2010-04-14 18:48 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:52 . 2010-04-14 18:48 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w- c:\windows\System32\CdI5T.drv
2008-12-17 13:47 . 2008-12-11 00:46 88 --sh--r- c:\windows\System32\E91484E061.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-03-12 323392]
"Google Update"="c:\users\Acer\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-31 133104]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-12-03 160592]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-19 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2007-11-01 1475072]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2007-11-29 1474048]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-09-30 323280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2007-08-16 12:00 531272 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 15:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 15:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 22:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 17:19 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-05 21:07 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-04-13 691696]
S0 AFS;AFS; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]

.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:39]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:39]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3054311125-3726314797-1804928617-1003Core.job
- c:\users\Acer\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-31 01:00]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3054311125-3726314797-1804928617-1003UA.job
- c:\users\Acer\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-31 01:00]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - component: c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\7q57zinw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Acer\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Acer\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-Nitro PDF Printer Monitor - c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 16:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-18 16:03:28
ComboFix-quarantined-files.txt 2010-05-18 15:03

Pre-Run: 57,944,535,040 bytes free
Post-Run: 57,996,193,792 bytes free

- - End Of File - - 1BF0AF47CB44BCBE2F9F950509003DB0


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:56 AM

Posted 18 May 2010 - 02:00 PM

The comboFix log looks good. the rootkit is taken care of.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Let see if mbr.exe shows the possible MBR rootkit again.

    Run TDLfix, type mbr and press Enter. Please post the log.

  4. Tell me also how is your computer running.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users