Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect & Combofix crashing


  • This topic is locked This topic is locked
29 replies to this topic

#1 ridhwhan

ridhwhan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 04:27 AM

Hello. Let me thank whomever can help me in advance. I will start from the beginning.

I'm running XP home SP3. I have a google redirect virus on my laptop. It has somehow disabled some windows services as well. I have to start services like themes, RCP, and Windows Zero Config manually even though they are set to start automatically.

I've run SmitFraudFix several times in safe mode and normal. I've run Malwarebytes several times (although the first time I ran it, it found 40 different problems, and I presumed it removed them all). It hasn't found anything since the initial scan. And lastly, I've run ComboFix, which in normal mode crashes the computer every time. I was able to get Combofix to run in Safe Mode, but it didn't solve the problem. I still have the search redirect, and services not starting as they should.

Any guidance would be greatly appreciated.

Thank you again.

Edit:

Performed the preparation, and the computer crashed twice while scanning with GMER. Logs attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Daria at 4:10:08.26 on Tue 05/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.504 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Daria\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {B3CCEB9B-2B56-4C79-B181-0157757F6856} = 192.168.1.254
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daria\applic~1\mozilla\firefox\profiles\ynjoaplf.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\daria\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\daria\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-11 55152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-27 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-27 144704]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-27 38912]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-27 40552]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-4-27 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-11 1684736]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\amustor.sys --> c:\windows\system32\drivers\AmUStor.SYS [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-27 34248]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-8-20 1015424]

=============== Created Last 30 ================

2010-05-25 09:07:08 0 d-----w- C:\Combo-Fix28669C
2010-05-25 08:35:29 0 d-----w- c:\program files\CCleaner
2010-05-25 08:04:18 0 d-----w- C:\Combo-Fix7275C
2010-05-25 07:23:56 0 d-----w- C:\Combo-Fix
2010-05-25 06:57:26 0 d-sha-r- C:\cmdcons
2010-05-25 05:41:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 05:40:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 05:40:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 04:49:29 98816 ----a-w- c:\windows\sed.exe
2010-05-25 04:49:29 77312 ----a-w- c:\windows\MBR.exe
2010-05-25 04:49:29 256512 ----a-w- c:\windows\PEV.exe
2010-05-25 04:49:29 161792 ----a-w- c:\windows\SWREG.exe
2010-05-24 01:39:19 0 d-----w- c:\documents and settings\daria\Tracing
2010-05-23 23:21:41 0 d-----w- c:\documents and settings\daria\SmitfraudFix
2010-05-23 07:30:16 0 d-----w- c:\docume~1\daria\applic~1\Malwarebytes
2010-05-23 07:29:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-23 05:38:09 0 d-----w- c:\docume~1\daria\applic~1\Asus
2010-05-23 00:51:19 0 d-----w- c:\docume~1\alluse~1\applic~1\RSMR
2010-05-23 00:51:19 0 d-----w- c:\docume~1\alluse~1\applic~1\EBI
2010-05-23 00:50:55 0 d-----w- c:\program files\EBI
2010-05-22 06:37:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-03 20:54:33 54436 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-11 20:00:47 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-20 12:12:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 05:51:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122620091227\index.dat

============= FINISH: 4:12:35.87 ===============

Attached Files


Edited by ridhwhan, 25 May 2010 - 11:27 AM.
Moving from XP forum to a more appropriate place ~ Elise


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 01:28 PM

Hi ridhwhan,

Welcome to VTSMR forum.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Double-click to run TDLfix.exe, type the following in the command window and press Enter:

mbr

A log file opens up. please post the content to your reply.

#3 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 01:49 PM

Thank you.

Here are the results.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85233D01]<<
kernel: MBR read successfully
user & kernel MBR OK


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 01:54 PM

  1. Close all the open windows.
    • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      tcpip

    • The application shall restart the computer immediately and runs after restart. In this case it will reboot the system once more.
    • Tell me if the computer rebooted and ran to completion.

  2. After the tool finished run TDLfix.exe, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#5 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 02:20 PM

OK. Ran TDLfix, it rebooted, came up on restart, and rebooted again.

Here is the log after entering mbr.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85251D01]<<
kernel: MBR read successfully
user & kernel MBR OK


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 02:36 PM

It did not worked.

Did you do it in normal mode?
Was McAfee disabled and did not run at startup?
Did you have internet connection when you run it?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    tcpip.sys*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


#7 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 02:47 PM

Thank you.

Yes, run in normal mode. McAfee disabled. Yes internet was working via wireless. After 2nd restart, Windows Zero Config, themes and Workstation Services did not startup.

Results from SystemLook:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:42 on 25/05/2010 by Daria (Administrator - Elevation successful)

========== filefind ==========

Searching for "tcpip.sys*"
C:\backup\tcpip.sys --a--- 361600 bytes [19:14 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\vir\tcpip.sys.old --a--- 361600 bytes [13:03 11/08/2009] [11:51 20/06/2008] ECABF70AD2C83190FFF378CAA063AEAC
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys --a--- 361600 bytes [19:32 11/08/2009] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E
C:\WINDOWS\ERDNT\cache\tcpip.sys --a--- 361600 bytes [07:16 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\dllcache\tcpip.sys --a--c 361600 bytes [19:25 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\drivers\tcpip.sys --a--- 361600 bytes [19:25 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D

-=End Of File=-

Edited by ridhwhan, 25 May 2010 - 02:49 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 03:11 PM

Thanks for the feedback. The tool is partially succeeded.

We will give it another go with the updated version.

Please right-click TDLfix to delete it. Than download the updated copy from http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Then repeat the steps in Post 4 and copy the log. In case any service didn't started later on, a reboot should take care of it.

#9 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 03:22 PM

OK. Same result. Services did not start up automatically. Here is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85253D01]<<
kernel: MBR read successfully
user & kernel MBR OK

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 03:43 PM

Okey we need to make a batch files. Make it now to have it ready because at one stage you will loose internet connection and need to have the batch file ready.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    del /a/f/q c:\windows\system32\drivers\tcpip.sys >log.txt 2>&1
    copy /v /y  C:\backup\tcpip.sys c:\windows\system32\drivers >>log.txt 2>&1
    sc config tcpip start= system >>log.txt 2>&1

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: step2.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad. Don't run the batch file now.

  2. Go to start =>run copy and paste the following in the run box and click OK:

    QUOTE
    sc config tcpip start= disabled >log.txt 2>&1


    A window flashes, it is normal.

  3. Reboot the computer and run step2.bat after reboot.

  4. Reboot the computer again, run TDLfix type mbr and press Enter to make the log to post it here.


#11 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 03:53 PM

OK. Here we go.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8527BD01]<<
kernel: MBR read successfully
user & kernel MBR OK

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 04:00 PM

It didn't work either and it might be something else.

Please run SystemLook once more with this script, press Look and post the log:

CODE
:filefind
tcpip.sys*


#13 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 04:11 PM

Here you go.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:06 on 25/05/2010 by Daria (Administrator - Elevation successful)

========== filefind ==========

Searching for "tcpip.sys*"
C:\backup\tcpip.sys --a--- 361600 bytes [19:14 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\vir\tcpip.sys.old --a--- 361600 bytes [19:25 25/05/2010] [11:51 20/06/2008] ECABF70AD2C83190FFF378CAA063AEAC
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys --a--- 361600 bytes [19:32 11/08/2009] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E
C:\WINDOWS\ERDNT\cache\tcpip.sys --a--- 361600 bytes [07:16 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\dllcache\tcpip.sys --a--c 361600 bytes [19:25 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\drivers\tcpip.sys --a--- 361600 bytes [19:25 25/05/2010] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D

-=End Of File=-

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:04 AM

Posted 25 May 2010 - 04:18 PM

Do you have another computer to communicate? We need to disable tcpip but you will loose internet connection.

#15 ridhwhan

ridhwhan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 25 May 2010 - 04:23 PM

Yes. I have my desktop that I can use




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users