Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware doctor, Performance Platform Voguecash, and google browser search hijacking (2)


  • This topic is locked This topic is locked
13 replies to this topic

#1 moshekim79

moshekim79

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 June 2010 - 12:26 AM

Exactly same problem as: http://www.bleepingcomputer.com/forums/t/320762/antimalware-doctor-and-browser-search-hijacking/

Briefly, infected with "Antimalware Doctor". Removed with MalWareBytes Anti-Malware.
Noticed "Performance Platform Voguecash" in Add/Remove program folder. Google search is being hijacked.


I've attached DDS file. Any help is appreciated.

CODE
DDS (Ver_10-03-17.01) - NTFSx86  
Run by Andrew at  1:15:51.60 on Sun 06/06/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_09
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.606 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Desktop\SystemLook.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\andrew\startm~1\programs\startup\anapod~1.lnk - c:\program files\red chair software\anapod explorer\anamgr.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\9u6rkp2r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\andrew\application data\mozilla\firefox\profiles\9u6rkp2r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\andrew\application data\mozilla\firefox\profiles\9u6rkp2r.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-4-7 14976]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [2010-4-12 66432]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [2006-10-6 26240]
S2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\asus\printer utilities\usbservice.exe --> c:\program files\asus\printer utilities\UsbService.exe [?]

=============== Created Last 30 ================

2010-06-06 05:15:00    0    ----a-w-    c:\documents and settings\andrew\defogger_reenable
2010-06-06 03:45:16    0    d-sha-r-    C:\cmdcons
2010-06-06 03:40:40    98816    ----a-w-    c:\windows\sed.exe
2010-06-06 03:40:40    77312    ----a-w-    c:\windows\MBR.exe
2010-06-06 03:40:40    256512    ----a-w-    c:\windows\PEV.exe
2010-06-06 03:40:40    161792    ----a-w-    c:\windows\SWREG.exe
2010-06-06 03:18:34    264    ----a-w-    c:\windows\_delis32.ini
2010-06-06 03:17:49    49265    ----a-w-    c:\windows\system32\jpicpl32.cpl
2010-06-05 14:42:42    0    d-----w-    c:\windows\SxsCaPendDel
2010-06-05 14:03:42    0    d-----w-    c:\program files\Trend Micro
2010-06-04 23:55:16    0    d-----w-    c:\docume~1\andrew\applic~1\Malwarebytes
2010-06-04 23:53:47    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 23:53:45    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 23:53:35    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-04 23:53:35    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-04 02:11:59    2762    ----a-w-    c:\windows\lsrslt.ini
2010-06-04 01:59:17    0    d-----w-    c:\docume~1\andrew\applic~1\Sky-Banners
2010-06-04 01:59:16    0    d-----w-    c:\docume~1\andrew\applic~1\Street-Ads
2010-06-04 01:43:57    50981    ----a-w-    c:\windows\system32\bwqzvmaxmyswowpzv.exe
2010-05-25 05:38:04    309248    ----a-w-    c:\windows\system32\nmzgaafc.dll

==================== Find3M  ====================

2010-03-11 12:38:54    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-03-11 12:38:52    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-03-11 12:38:51    17408    ----a-w-    c:\windows\system32\corpol.dll
2010-03-09 11:09:18    430080    ----a-w-    c:\windows\system32\vbscript.dll

============= FINISH:  1:17:00.16 ===============

Attached Files

  • Attached File  DDS.txt   10.11KB   3 downloads

Edited by moshekim79, 06 June 2010 - 12:28 AM.


BC AdBot (Login to Remove)

 


#2 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 June 2010 - 12:59 AM

Combofix output:

CODE
ComboFix 10-06-05.01 - Andrew 06/06/2010   1:40.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.788 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\RasAcd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-06 to 2010-06-06  )))))))))))))))))))))))))))))))
.

2010-06-06 01:03 . 2010-06-06 01:03    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-05 14:42 . 2010-06-05 14:53    --------    d-----w-    c:\windows\SxsCaPendDel
2010-06-05 14:03 . 2010-06-05 14:03    --------    d-----w-    c:\program files\Trend Micro
2010-06-05 05:09 . 2010-06-05 13:42    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\leuxktjso
2010-06-05 05:06 . 2010-06-06 01:02    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-04 23:55 . 2010-06-04 23:55    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 23:53 . 2010-06-04 23:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-06-04 23:54    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-04 23:53 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-04 02:36 . 2010-06-05 14:12    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-06-04 01:59 . 2010-06-04 01:59    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Sky-Banners
2010-06-04 01:59 . 2010-06-05 14:47    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Street-Ads
2010-06-04 01:43 . 2010-06-04 01:43    50981    ----a-w-    c:\windows\system32\bwqzvmaxmyswowpzv.exe
2010-05-25 05:38 . 2010-05-25 05:38    309248    ----a-w-    c:\windows\system32\nmzgaafc.dll
2010-05-23 04:05 . 2010-05-23 04:05    503808    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcp71.dll
2010-05-23 04:05 . 2010-05-23 04:05    499712    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\jmc.dll
2010-05-23 04:05 . 2010-05-23 04:05    348160    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcr71.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 03:50 . 2006-10-11 05:40    --------    d-----w-    c:\program files\Common Files\Logitech
2010-06-06 03:18 . 2006-11-06 00:21    --------    d-----w-    c:\program files\Java
2010-06-06 03:16 . 2006-10-06 04:54    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-06-05 14:37 . 2006-10-08 19:35    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Lavasoft
2010-06-05 14:34 . 2009-11-12 23:22    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Microsoft Games
2010-04-18 17:07 . 2010-01-27 01:02    1    ----a-w-    c:\documents and settings\Andrew\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-13 00:00 . 2010-03-12 23:53    1084227584    ---ha-w-    C:\san_test.tmp
2010-03-12 23:47 . 2010-03-12 23:47    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml73.tmp
2010-03-12 23:47 . 2010-03-12 23:47    13443    ----a-w-    c:\documents and settings\All Users\Application Data\xml72.tmp
2010-03-12 23:47 . 2010-03-12 23:47    8274    ----a-w-    c:\documents and settings\All Users\Application Data\xml71.tmp
2010-03-12 22:32 . 2010-03-12 22:32    0    ----a-w-    c:\windows\system32\cd.dat
2010-03-11 12:38 . 2006-06-23 18:33    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 20:00    17408    ----a-w-    c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 20:00    430080    ----a-w-    c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-6-7 1076276]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2002-08-28 22:17    28672    ------w-    c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08    397312    ------w-    c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11    342312    ----a-w-    c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50    155648    ------w-    c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54    37376    -c--a-w-    c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/7/2010 10:54 PM 14976]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [4/12/2010 9:59 PM 66432]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/6/2006 12:54 AM 26240]
S2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\ASUS\Printer Utilities\UsbService.exe --> c:\program files\ASUS\Printer Utilities\UsbService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 01:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869A6EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d1fc3
\Driver\ACPI -> ACPI.sys @ 0xf7624cb8
\Driver\atapi -> atapi.sys @ 0xf75987b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7491ba0
PacketIndicateHandler -> NDIS.sys @ 0xf749eb21
SendHandler -> NDIS.sys @ 0xf747c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-06  01:57:36
ComboFix-quarantined-files.txt  2010-06-06 05:57
ComboFix2.txt  2010-06-06 04:50
ComboFix3.txt  2010-06-06 04:13

Pre-Run: 20,262,047,744 bytes free
Post-Run: 20,221,407,232 bytes free

- - End Of File - - DD15E107898FE0CA681A9734B2B928A9


#3 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 June 2010 - 01:39 AM

Combofix with CFScript

Followed directions from: http://www.bleepingcomputer.com/forums/t/320762/antimalware-doctor-and-browser-search-hijacking/

Briefly,

QUOTE
We will run ComboFix again. This time, the instructions are slightly different.

* Close any open browsers.
* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
* Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
CODE
      TDL::
      C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Output from Combofix+CFScript:

CODE
ComboFix 10-06-05.01 - Andrew 06/06/2010   2:15.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.789 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack :P
Infected copy of c:\windows\system32\drivers\RasAcd.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
(((((((((((((((((((((((((   Files Created from 2010-05-06 to 2010-06-06  )))))))))))))))))))))))))))))))
.

2010-06-06 01:03 . 2010-06-06 01:03    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-05 14:42 . 2010-06-05 14:53    --------    d-----w-    c:\windows\SxsCaPendDel
2010-06-05 14:03 . 2010-06-05 14:03    --------    d-----w-    c:\program files\Trend Micro
2010-06-05 05:09 . 2010-06-05 13:42    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\leuxktjso
2010-06-05 05:06 . 2010-06-06 01:02    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-04 23:55 . 2010-06-04 23:55    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 23:53 . 2010-06-04 23:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-06-04 23:54    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-04 23:53 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-04 02:36 . 2010-06-05 14:12    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-06-04 01:59 . 2010-06-04 01:59    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Sky-Banners
2010-06-04 01:59 . 2010-06-05 14:47    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Street-Ads
2010-06-04 01:43 . 2010-06-04 01:43    50981    ----a-w-    c:\windows\system32\bwqzvmaxmyswowpzv.exe
2010-05-25 05:38 . 2010-05-25 05:38    309248    ----a-w-    c:\windows\system32\nmzgaafc.dll
2010-05-23 04:05 . 2010-05-23 04:05    503808    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcp71.dll
2010-05-23 04:05 . 2010-05-23 04:05    499712    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\jmc.dll
2010-05-23 04:05 . 2010-05-23 04:05    348160    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcr71.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 03:50 . 2006-10-11 05:40    --------    d-----w-    c:\program files\Common Files\Logitech
2010-06-06 03:18 . 2006-11-06 00:21    --------    d-----w-    c:\program files\Java
2010-06-06 03:16 . 2006-10-06 04:54    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-06-05 14:37 . 2006-10-08 19:35    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Lavasoft
2010-06-05 14:34 . 2009-11-12 23:22    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Microsoft Games
2010-04-18 17:07 . 2010-01-27 01:02    1    ----a-w-    c:\documents and settings\Andrew\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-13 00:00 . 2010-03-12 23:53    1084227584    ---ha-w-    C:\san_test.tmp
2010-03-12 23:47 . 2010-03-12 23:47    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml73.tmp
2010-03-12 23:47 . 2010-03-12 23:47    13443    ----a-w-    c:\documents and settings\All Users\Application Data\xml72.tmp
2010-03-12 23:47 . 2010-03-12 23:47    8274    ----a-w-    c:\documents and settings\All Users\Application Data\xml71.tmp
2010-03-12 22:32 . 2010-03-12 22:32    0    ----a-w-    c:\windows\system32\cd.dat
2010-03-11 12:38 . 2006-06-23 18:33    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 20:00    17408    ----a-w-    c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 20:00    430080    ----a-w-    c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-6-7 1076276]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2002-08-28 22:17    28672    ------w-    c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08    397312    ------w-    c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11    342312    ----a-w-    c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50    155648    ------w-    c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54    37376    -c--a-w-    c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/7/2010 10:54 PM 14976]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [4/12/2010 9:59 PM 66432]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/6/2006 12:54 AM 26240]
S2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\ASUS\Printer Utilities\UsbService.exe --> c:\program files\ASUS\Printer Utilities\UsbService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 02:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869A6EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d1fc3
\Driver\ACPI -> ACPI.sys @ 0xf7624cb8
\Driver\atapi -> atapi.sys @ 0xf75987b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: Intel® PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7491ba0
PacketIndicateHandler -> NDIS.sys @ 0xf749eb21
SendHandler -> NDIS.sys @ 0xf747c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-06  02:32:07
ComboFix-quarantined-files.txt  2010-06-06 06:31
ComboFix2.txt  2010-06-06 05:57
ComboFix3.txt  2010-06-06 04:50
ComboFix4.txt  2010-06-06 04:13

Pre-Run: 20,231,487,488 bytes free
Post-Run: 20,190,896,128 bytes free

- - End Of File - - 71B1BE4A8F9EB1E3FC9E5AAEDCF17DEA


#4 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 June 2010 - 01:43 AM

SystemLook

Followed advice from: http://www.bleepingcomputer.com/forums/t/320762/antimalware-doctor-and-browser-search-hijacking/

QUOTE
Doesn't appear to have been removed. We need to look for a replacement copy now to replace that.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

* Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
* A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
* Copy and Paste the content of the following codebox into the main textfield under "File":
CODE
      :filefind
      kbdhid.*

* Please Confirm everything is copied and Pasted as I have provided above
* Click the Look button to start the scan.
* When finished, a notepad window will open with the results of the scan.
* Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


SystemLook output

CODE
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 02:41 on 06/06/2010 by Andrew (Administrator - Elevation successful)

========== filefind ==========

Searching for "kbdhid.*"
C:\cmdcons\KBDHID.SY_    --a--- 7921 bytes    [02:58 04/08/2004]    [02:58 04/08/2004] 78EED0258A4173E317E098C024275CD2
C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys    -----c 14848 bytes    [05:58 04/08/2004]    [05:58 04/08/2004] E182FA8E49E8EE41B4ADC53093F3C7E6
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdhid.sys    --a--c 14592 bytes    [01:35 30/08/2008]    [18:39 13/04/2008] 9EF487A186DEA361AA06913A75B3FA99

-=End Of File=-


#5 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 June 2010 - 02:19 AM

Combofix+CFScript2


-open notebook.
-type the following:
CODE
TDL::
C:\WINDOWS\ServicePackFiles\i386\kbdhid.sys

-save as CFScript2.txt
-drag and drop onto 'Combofix'


Combofix+CFScript2:
CODE
ComboFix 10-06-05.01 - Andrew 06/06/2010   2:59.5.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.789 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript2.txt
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\RasAcd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-06 to 2010-06-06  )))))))))))))))))))))))))))))))
.

2010-06-06 01:03 . 2010-06-06 01:03    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-05 14:42 . 2010-06-05 14:53    --------    d-----w-    c:\windows\SxsCaPendDel
2010-06-05 14:03 . 2010-06-05 14:03    --------    d-----w-    c:\program files\Trend Micro
2010-06-05 05:09 . 2010-06-05 13:42    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\leuxktjso
2010-06-05 05:06 . 2010-06-06 01:02    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-04 23:55 . 2010-06-04 23:55    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 23:53 . 2010-06-04 23:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-06-04 23:54    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-04 23:53 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-04 02:36 . 2010-06-05 14:12    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-06-04 01:59 . 2010-06-04 01:59    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Sky-Banners
2010-06-04 01:59 . 2010-06-05 14:47    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Street-Ads
2010-06-04 01:43 . 2010-06-04 01:43    50981    ----a-w-    c:\windows\system32\bwqzvmaxmyswowpzv.exe
2010-05-25 05:38 . 2010-05-25 05:38    309248    ----a-w-    c:\windows\system32\nmzgaafc.dll
2010-05-23 04:05 . 2010-05-23 04:05    503808    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcp71.dll
2010-05-23 04:05 . 2010-05-23 04:05    499712    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\jmc.dll
2010-05-23 04:05 . 2010-05-23 04:05    348160    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcr71.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 03:50 . 2006-10-11 05:40    --------    d-----w-    c:\program files\Common Files\Logitech
2010-06-06 03:18 . 2006-11-06 00:21    --------    d-----w-    c:\program files\Java
2010-06-06 03:16 . 2006-10-06 04:54    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-06-05 14:37 . 2006-10-08 19:35    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Lavasoft
2010-06-05 14:34 . 2009-11-12 23:22    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Microsoft Games
2010-04-18 17:07 . 2010-01-27 01:02    1    ----a-w-    c:\documents and settings\Andrew\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-13 00:00 . 2010-03-12 23:53    1084227584    ---ha-w-    C:\san_test.tmp
2010-03-12 23:47 . 2010-03-12 23:47    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml73.tmp
2010-03-12 23:47 . 2010-03-12 23:47    13443    ----a-w-    c:\documents and settings\All Users\Application Data\xml72.tmp
2010-03-12 23:47 . 2010-03-12 23:47    8274    ----a-w-    c:\documents and settings\All Users\Application Data\xml71.tmp
2010-03-12 22:32 . 2010-03-12 22:32    0    ----a-w-    c:\windows\system32\cd.dat
2010-03-11 12:38 . 2006-06-23 18:33    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 20:00    17408    ----a-w-    c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 20:00    430080    ----a-w-    c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-06-06_04.07.39   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 05:58 . 2004-08-04 05:58    14848              c:\windows\system32\drivers\kbdhid.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-6-7 1076276]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2002-08-28 22:17    28672    ------w-    c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08    397312    ------w-    c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11    342312    ----a-w-    c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50    155648    ------w-    c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54    37376    -c--a-w-    c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/7/2010 10:54 PM 14976]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [4/12/2010 9:59 PM 66432]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/6/2006 12:54 AM 26240]
S2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\ASUS\Printer Utilities\UsbService.exe --> c:\program files\ASUS\Printer Utilities\UsbService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 03:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869A4EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d1fc3
\Driver\ACPI -> ACPI.sys @ 0xf7624cb8
\Driver\atapi -> atapi.sys @ 0xf75987b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7491ba0
PacketIndicateHandler -> NDIS.sys @ 0xf749eb21
SendHandler -> NDIS.sys @ 0xf747c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1056)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-06  03:16:01
ComboFix-quarantined-files.txt  2010-06-06 07:15
ComboFix2.txt  2010-06-06 06:32
ComboFix3.txt  2010-06-06 05:57
ComboFix4.txt  2010-06-06 04:50
ComboFix5.txt  2010-06-06 06:50

Pre-Run: 20,196,745,216 bytes free
Post-Run: 20,160,475,136 bytes free

- - End Of File - - FA8E3DC84A85A2C62FC4D2174B5F3A1E


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 AM

Posted 08 June 2010 - 04:17 PM

Hi moshekim79,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

if the issue is not solved please do the following:

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Double-click to run TDLfix.exe, type the following in the command window and press Enter:

mbr

A log file opens up. please post the content to your reply.

#7 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 June 2010 - 07:13 AM

Okay, I agree.
Right now, I don't have access to the malware-infected cpu.
Will run program at 5pm EST.

Thanks for your help!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 AM

Posted 09 June 2010 - 07:35 AM

That sounds good. Please also attach the last ComboFix log that is on the root of C: drive (C:\Combofix.txt).

#9 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 June 2010 - 05:34 PM

TDLfix output:

CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869A4EC5]<<
kernel: MBR read successfully
user & kernel MBR OK


Combofix output:

CODE
ComboFix 10-06-05.01 - Andrew 06/06/2010   2:59.5.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.789 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript2.txt
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\RasAcd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2010-05-06 to 2010-06-06  )))))))))))))))))))))))))))))))
.

2010-06-06 01:03 . 2010-06-06 01:03    --------    d-----w-    c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-05 14:42 . 2010-06-05 14:53    --------    d-----w-    c:\windows\SxsCaPendDel
2010-06-05 14:03 . 2010-06-05 14:03    --------    d-----w-    c:\program files\Trend Micro
2010-06-05 05:09 . 2010-06-05 13:42    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\leuxktjso
2010-06-05 05:06 . 2010-06-06 01:02    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-04 23:55 . 2010-06-04 23:55    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 23:53 . 2010-06-04 23:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 23:53 . 2010-06-04 23:54    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-06-04 23:53 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-06-04 02:36 . 2010-06-05 14:12    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-06-04 01:59 . 2010-06-04 01:59    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Sky-Banners
2010-06-04 01:59 . 2010-06-05 14:47    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Street-Ads
2010-06-04 01:43 . 2010-06-04 01:43    50981    ----a-w-    c:\windows\system32\bwqzvmaxmyswowpzv.exe
2010-05-25 05:38 . 2010-05-25 05:38    309248    ----a-w-    c:\windows\system32\nmzgaafc.dll
2010-05-23 04:05 . 2010-05-23 04:05    503808    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcp71.dll
2010-05-23 04:05 . 2010-05-23 04:05    499712    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\jmc.dll
2010-05-23 04:05 . 2010-05-23 04:05    348160    ----a-w-    c:\documents and settings\Andrew\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6a641370-n\msvcr71.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 03:50 . 2006-10-11 05:40    --------    d-----w-    c:\program files\Common Files\Logitech
2010-06-06 03:18 . 2006-11-06 00:21    --------    d-----w-    c:\program files\Java
2010-06-06 03:16 . 2006-10-06 04:54    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-06-05 14:37 . 2006-10-08 19:35    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Lavasoft
2010-06-05 14:34 . 2009-11-12 23:22    --------    d-----w-    c:\documents and settings\Andrew\Application Data\Microsoft Games
2010-04-18 17:07 . 2010-01-27 01:02    1    ----a-w-    c:\documents and settings\Andrew\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-13 00:00 . 2010-03-12 23:53    1084227584    ---ha-w-    C:\san_test.tmp
2010-03-12 23:47 . 2010-03-12 23:47    2316    ----a-w-    c:\documents and settings\All Users\Application Data\xml73.tmp
2010-03-12 23:47 . 2010-03-12 23:47    13443    ----a-w-    c:\documents and settings\All Users\Application Data\xml72.tmp
2010-03-12 23:47 . 2010-03-12 23:47    8274    ----a-w-    c:\documents and settings\All Users\Application Data\xml71.tmp
2010-03-12 22:32 . 2010-03-12 22:32    0    ----a-w-    c:\windows\system32\cd.dat
2010-03-11 12:38 . 2006-06-23 18:33    832512    ----a-w-    c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56    78336    ----a-w-    c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 20:00    17408    ----a-w-    c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 20:00    430080    ----a-w-    c:\windows\system32\vbscript.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-06-06_04.07.39   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 05:58 . 2004-08-04 05:58    14848              c:\windows\system32\drivers\kbdhid.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [2008-6-7 1076276]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2002-08-28 22:17    28672    ------w-    c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 15:08    397312    ------w-    c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11    342312    ----a-w-    c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50    155648    ------w-    c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18    413696    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54    37376    -c--a-w-    c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Andrew\\Desktop\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/7/2010 10:54 PM 14976]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [4/12/2010 9:59 PM 66432]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [10/6/2006 12:54 AM 26240]
S2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\ASUS\Printer Utilities\UsbService.exe --> c:\program files\ASUS\Printer Utilities\UsbService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\9u6rkp2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 03:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869A4EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d1fc3
\Driver\ACPI -> ACPI.sys @ 0xf7624cb8
\Driver\atapi -> atapi.sys @ 0xf75987b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
ParseProcedure -> ntoskrnl.exe @ 0x8056f26d
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7491ba0
PacketIndicateHandler -> NDIS.sys @ 0xf749eb21
SendHandler -> NDIS.sys @ 0xf747c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1056)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-06  03:16:01
ComboFix-quarantined-files.txt  2010-06-06 07:15
ComboFix2.txt  2010-06-06 06:32
ComboFix3.txt  2010-06-06 05:57
ComboFix4.txt  2010-06-06 04:50
ComboFix5.txt  2010-06-06 06:50

Pre-Run: 20,196,745,216 bytes free
Post-Run: 20,160,475,136 bytes free

- - End Of File - - FA8E3DC84A85A2C62FC4D2174B5F3A1E

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 AM

Posted 09 June 2010 - 05:41 PM

Just a reminder. it is not advised to run ComboFix without supervision of a trained helper. And most definitely the fix of other logs should not be copied.

  1. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      RasAcd

    • The application shall restart the computer immediately. It runs after restart briefly then closes.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.


#11 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 June 2010 - 06:05 PM

No antivirus program installed.... so no need to deactivate.

TDLfix.exe -> RasAcd
No problem with reboot.


TDLfix.exe -> MBR
Output for rebooted cpu:
CODE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
kernel: MBR read successfully
user & kernel MBR OK


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 AM

Posted 09 June 2010 - 06:14 PM

The log is clean and rootkit is taken care of. thumbup2.gif

I strongly advise you to do all the following steps to avoid reinfection.
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it. Do other steps and come back and run a full system scan and let remove what it finds.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  4. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  5. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  6. You may delete all the logs or tools used from your computer.


Happy Surfing. smile.gif







#13 moshekim79

moshekim79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 June 2010 - 06:28 PM

Farbar,

Thanks for all your help! It was quite painless, but more importantly, I'll do all the protective measures you've just outlined.
Thanks for taking time out of your schedule to help out a fellow surfer. Really appreciate it. Cheers!


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 AM

Posted 09 June 2010 - 06:32 PM

You are most welcome moshekim79. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users