Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus, frequent pop ups, etc.


  • This topic is locked This topic is locked
15 replies to this topic

#1 imagica

imagica

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 08 June 2010 - 04:01 PM

It started out with a simple occasional page redirect when I clicked on a link that led to an advertisement or a page warning me that the link I was clicking on could potentiall harm my computer, even if it was just a website like Huffington Post or photobucket. Now I think when I enter google it opens a fake google that overlays the real google. Then when I click on anything in the search it redirects me. It's impossible to reach a web page unless I type out the full url instead of using a search engine. I've tried different malware removers such as malwarebites but half of them require payment to remove the virus or they just don't detect it at all. I've tried restoring the system to before the virus. That didn't work. Hopefully posting here helps

Thank you in advance.

Attached Files


Edited by imagica, 08 June 2010 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 05:32 PM

Hi imagica,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.
  1. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#3 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 June 2010 - 06:24 PM

When I clicked the look.bat icon a black box came up that said "'mbr.exe' is not recoginized as an internal or external command, operable program or batch file." and another box came up that says "Windows cannot find 'mbr.log' Make sure you typed the name correctly, and then try again. To search for file, click the start button, then click the Start button, then click Search."

I'm pretty sure sure I followed the steps correctly. However, here are the other logs.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-11 16:05:03
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Alyson\LOCALS~1\Temp\kwdcyaog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2738 80501628 4 Bytes JMP 79F8A82F

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[808] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C6000C
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007D000A
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007C000C
.text C:\WINDOWS\System32\svchost.exe[1360] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 010F000A
.text C:\WINDOWS\System32\svchost.exe[1360] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0101000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1924] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2360] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3056] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[61340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\wuauclt.exe[61340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\wuauclt.exe[61340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B9000C
.text C:\WINDOWS\system32\wuauclt.exe[62728] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[62728] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[62728] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[65336] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



I'm trying to post the DDS log, but when I do I get an "internet explorer can't display webpage"

Edited by imagica, 11 June 2010 - 06:33 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 06:37 PM

I see the type of infection. But I would like you to be more precise to avoid redoing or doing harm. Open Windows directory and you will see mbr.exe is not there. Have you used Firefox to download mbr.exe? Then it probably set to its default "Downloads" older.

In order to have the option to change the download location run Firefox:
Under Tools menu select Options... under download section check:
    Show the Downloads window when downloading a file.
    Always ask me where to save files.
Click OK

Now download mbr.exe again and save it to C:\Windows directory and run the batch file again.

#5 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 June 2010 - 06:53 PM

Alright, that worked:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89FB7CEC]<<
kernel: MBR read successfully
user & kernel MBR OK


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 07:01 PM

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#7 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 June 2010 - 08:11 PM

It did require me to reboot.

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 08:17 PM

The tool found and disinfected the rootkit. thumbup2.gif
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 09:04 PM

Please don't miss my previous post.

Please do this also before making a fresh DDS.txt, you do it before or after running the updated Malwarebytes:

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


#10 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 June 2010 - 09:06 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4190

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/11/2010 6:51:59 PM
mbam-log-2010-06-11 (18-51-59).txt

Scan type: Quick scan
Objects scanned: 165727
Time elapsed: 20 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PlayAllDVD (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Start Menu\Programs\PlayAllDVD (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Alyson\Application Data\c370c8a2-836b-4541-85e2-d4f6e510e19d_32.avi (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Local Settings\temp\0.015002559274838734.exe (Trojan.Scar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Local Settings\temp\a.exe (Trojan.Scar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Local Settings\temp\ins1E8.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Local Settings\temp\ins1EB.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\PlayAllDVD\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alyson\Start Menu\Programs\PlayAllDVD\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Alyson at 19:05:13.88 on Fri 06/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1270.716 [GMT -7:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alyson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Alice's%20Magical%20Mahjong/Images/stg_drm.ocx
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205107098997
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Alice's%20Magical%20Mahjong/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 84.16.244.15 www.google.com
Hosts: 84.16.244.15 us.search.yahoo.com
Hosts: 84.16.244.15 uk.search.yahoo.com
Hosts: 84.16.244.15 search.yahoo.com
Hosts: 84.16.244.15 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alyson\applic~1\mozilla\firefox\profiles\9elnczcu.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://aimzones.aol.com/homepage
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\documents and settings\alyson\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-3-14 274432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-25 24652]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-3-14 584832]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-29 135664]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S4 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-10-23 582424]

=============== Created Last 30 ================

2010-06-11 23:53:00 77312 ----a-w- c:\windows\mbr.exe
2010-06-08 05:10:41 0 ----a-w- c:\documents and settings\alyson\defogger_reenable
2010-06-08 02:56:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 02:43:44 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-08 02:42:29 0 d-----w- c:\docume~1\alyson\applic~1\Malwarebytes
2010-06-08 00:12:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-06-08 00:12:38 0 d-----w- c:\program files\common files\ParetoLogic
2010-06-08 00:12:23 0 d-----w- c:\program files\common files\XoftSpySE
2010-06-08 00:12:20 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-06-08 00:12:01 0 d-----w- c:\program files\XoftSpySE6
2010-06-07 23:43:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 23:43:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-07 23:43:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 23:43:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-07 23:34:07 0 d-----w- c:\program files\ReviverSoft
2010-06-07 23:33:43 0 d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-05-21 04:51:59 939509 ----a-w- c:\documents and settings\alyson\.recently-used.xbel

==================== Find3M ====================

2010-06-12 01:54:34 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-12 00:40:03 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-05-23 03:57:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-27 18:40:40 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40:40 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2007-04-23 22:21:16 269824 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 22:11:54 224896 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 19:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 19:30:36 66048 ----a-w- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 19:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 19:30:36 28672 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 19:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 19:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 19:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2009-07-21 09:29:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072120090722\index.dat

============= FINISH: 19:06:03.34 ===============


#11 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 11 June 2010 - 09:10 PM

Sorry, I didn't see your new post yet. Here's the newest DDS log.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Alyson at 19:09:33.13 on Fri 06/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1270.780 [GMT -7:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alyson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Alice's%20Magical%20Mahjong/Images/stg_drm.ocx
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205107098997
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Alice's%20Magical%20Mahjong/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alyson\applic~1\mozilla\firefox\profiles\9elnczcu.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://aimzones.aol.com/homepage
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - plugin: c:\documents and settings\alyson\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 Belkin Wifi Service;Belkin Wifi Service;c:\program files\belkin\f5d8053\v6\WifiSvc.exe [2010-3-14 274432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-25 24652]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-3-14 584832]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-29 135664]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S4 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-10-23 582424]

=============== Created Last 30 ================

2010-06-12 02:08:01 0 d-----w- C:\HostsXpert
2010-06-11 23:53:00 77312 ----a-w- c:\windows\mbr.exe
2010-06-08 05:10:41 0 ----a-w- c:\documents and settings\alyson\defogger_reenable
2010-06-08 02:56:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 02:43:44 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-08 02:42:29 0 d-----w- c:\docume~1\alyson\applic~1\Malwarebytes
2010-06-08 00:12:40 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-06-08 00:12:38 0 d-----w- c:\program files\common files\ParetoLogic
2010-06-08 00:12:23 0 d-----w- c:\program files\common files\XoftSpySE
2010-06-08 00:12:20 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-06-08 00:12:01 0 d-----w- c:\program files\XoftSpySE6
2010-06-07 23:43:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 23:43:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-07 23:43:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 23:43:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-07 23:34:07 0 d-----w- c:\program files\ReviverSoft
2010-06-07 23:33:43 0 d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft
2010-05-21 04:51:59 939509 ----a-w- c:\documents and settings\alyson\.recently-used.xbel

==================== Find3M ====================

2010-06-12 01:54:34 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-12 00:40:03 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-05-23 03:57:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-27 18:40:40 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40:40 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2007-04-23 22:21:16 269824 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 22:11:54 224896 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 19:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 19:30:36 66048 ----a-w- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 19:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 19:30:36 28672 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 19:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 19:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 19:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2009-07-21 09:29:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009072120090722\index.dat

============= FINISH: 19:09:43.68 ===============


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 11 June 2010 - 09:39 PM

We have taken care of the active infection. Due to the multiple infection I would like to make sure nothing is left behind. I'll see the log tomorrow as it is too late here and I need to sleep before fainting. smile.gif
  1. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

#13 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 12 June 2010 - 12:20 AM

C:\Documents and Settings\Alyson\Application Data\Sun\Java\Deployment\cache\6.0\35\e1d9b63-27b4d2c4 Java/TrojanDownloader.Agent.NAG trojan deleted - quarantined
C:\Documents and Settings\Alyson\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-71933c87 multiple threats deleted - quarantined
C:\Documents and Settings\Alyson\Application Data\WinPatrol\HOSTS Win32/Qhost trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\Desktop\New Folder\New Folder\New Folder\The White Stripes - Fell In Love with a Girl.wma probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\Local Settings\temp\jar_cache7505629351572259271.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\06 The Fray - Heaven Forbid.wma WMA/TrojanDownloader.Wimad.NAD trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\R.E.M. - The One I love.wma probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\The Birthday Massacre - 03 - Falling Down.wma WMA/TrojanDownloader.Wimad.NAG trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\The Birthday Massacre - 04 - Unfamiliar.wma WMA/TrojanDownloader.Wimad.NAA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\Wumpscut - The March Of The Dead.wma probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1fea132ad0a64f4199271b593040c8bc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-12 05:15:29
# local_time=2010-06-11 10:15:29 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=2048 16777175 100 0 63973397 63973397 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149354
# found=10
# cleaned=10
# scan_time=5527
C:\Documents and Settings\Alyson\Application Data\Sun\Java\Deployment\cache\6.0\35\e1d9b63-27b4d2c4 Java/TrojanDownloader.Agent.NAG trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\Application Data\Sun\Java\Deployment\cache\6.0\52\34086e34-71933c87 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\Application Data\WinPatrol\HOSTS Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\Desktop\New Folder\New Folder\New Folder\The White Stripes - Fell In Love with a Girl.wma probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\Local Settings\temp\jar_cache7505629351572259271.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\06 The Fray - Heaven Forbid.wma WMA/TrojanDownloader.Wimad.NAD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\R.E.M. - The One I love.wma probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\The Birthday Massacre - 03 - Falling Down.wma WMA/TrojanDownloader.Wimad.NAG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\The Birthday Massacre - 04 - Unfamiliar.wma WMA/TrojanDownloader.Wimad.NAA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Alyson\My Documents\LimeWire\Saved\Wumpscut - The March Of The Dead.wma probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:43 PM

Posted 12 June 2010 - 06:06 AM

It looks good. thumbup2.gif
  1. You may delete the any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Recommendations:
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    In order to update Windows go to Start -> All Programs -> Windows Update wait the page to be loaded, then press Custom button. Windows searches your computer and gives you possible updates.

    Prior to installing SP3 it is better to disable your antivirus and enable it after SP3 is installed.

  2. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  3. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.


Happy Surfing imagica. smile.gif

#15 imagica

imagica
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 12 June 2010 - 07:23 PM

Thank you so much for your help!

It all works fine!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users