Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified malware hijacks browser SSL session


  • This topic is locked This topic is locked
24 replies to this topic

#1 MiEggy

MiEggy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 15 June 2010 - 09:11 PM

On this Windows XP Pro PC, a hijack takes-over after entering erroneous logon credentials to secure sites' (banks) web sites; Phishing attempt prompts user to enter sensitive data (account number, SSN, and more). A picture is worth 1000+ of my words, so for a thorough description see this brief video (30 seconds) showing two cases: hxxp://www.youtube.com/watch?v=MKoRz6jnr2I

The PC initially was heavily infected, with several viruses. They've been removed, and now there are very few symptoms of any problem -- just the phishing hijack. Two potential symptoms are: n boot-up, PC always wants to run CHKDSK; after Windows starts-up, it persistently wants to run SFC (which I intended to run just once, of course). I've scanned with several (six, or so) reliable AV programs, but none detect any malware. Details available on request.


What is this type of attacked called?

What is the name of the malware?

How can I remove it? (!)

DDS.TXT is enclosed below; ATTACH.TXT and ARK.TXT are attached. Let me know what other info you need / questions you have.

Thanks in advance for your help!

Eggy

+++Begin DDS.TXT+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:37:52.03 on Tue 06/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D64CF6D4-45DF-4D8F-9F14-E65FADF2777C} - hxxp://www.dvrstation.com/pdvratl.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {C1EAE66C-8126-4171-91DC-A90AEB70B996} = 8.8.8.8,8.8.4.4
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z9j82dqo.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbguard.exe [2004-12-13 65536]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-17 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-23 24652]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbserver.exe [2004-12-13 1527893]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\vvrusb.sys --> c:\windows\system32\drivers\VVRUSB.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]

=============== Created Last 30 ================

2010-06-15 16:36:43 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-06-15 16:18:08 116224 ----a-w- c:\windows\system32\dllcache\OLDE7C.tmp
2010-06-15 16:18:07 23040 ----a-w- c:\windows\system32\dllcache\OLDE78.tmp
2010-06-15 16:18:03 18944 ----a-w- c:\windows\system32\dllcache\OLDE74.tmp
2010-06-15 16:18:02 27648 ----a-w- c:\windows\system32\dllcache\OLDE70.tmp
2010-06-15 16:16:59 23615 ----a-w- c:\windows\system32\dllcache\OLDE19.tmp
2010-06-15 16:15:59 794399 ----a-w- c:\windows\system32\dllcache\OLDDA3.tmp
2010-06-15 16:14:58 159232 ----a-w- c:\windows\system32\dllcache\OLDD3F.tmp
2010-06-15 16:13:59 36640 ----a-w- c:\windows\system32\dllcache\OLDCD8.tmp
2010-06-15 16:12:57 37040 ----a-w- c:\windows\system32\dllcache\OLDC79.tmp
2010-06-15 16:11:58 94698 ----a-w- c:\windows\system32\dllcache\OLDBC9.tmp
2010-06-15 16:10:57 16640 ----a-w- c:\windows\system32\dllcache\OLDB67.tmp
2010-06-15 16:09:57 30720 ----a-w- c:\windows\system32\dllcache\OLDAFC.tmp
2010-06-15 16:08:59 83748 ----a-w- c:\windows\system32\dllcache\OLDA8C.tmp
2010-06-15 16:07:57 39424 ----a-w- c:\windows\system32\dllcache\OLD9F1.tmp
2010-06-15 16:06:59 32840 ----a-w- c:\windows\system32\dllcache\OLD993.tmp
2010-06-15 16:05:59 12416 ----a-w- c:\windows\system32\dllcache\OLD92A.tmp
2010-06-15 16:04:59 20864 ----a-w- c:\windows\system32\dllcache\OLD8B4.tmp
2010-06-15 16:03:59 9216 ----a-w- c:\windows\system32\dllcache\OLD7BA.tmp
2010-06-15 16:02:59 9216 ----a-w- c:\windows\system32\dllcache\OLD6E0.tmp
2010-06-15 16:01:59 68608 ----a-w- c:\windows\system32\dllcache\OLD66E.tmp
2010-06-15 16:00:58 34173 ----a-w- c:\windows\system32\dllcache\OLD5D1.tmp
2010-06-15 15:59:59 19996 ----a-w- c:\windows\system32\dllcache\OLD526.tmp
2010-06-15 15:58:58 419357 ----a-w- c:\windows\system32\dllcache\OLD454.tmp
2010-06-15 15:57:59 27164 ----a-w- c:\windows\system32\dllcache\OLD339.tmp
2010-06-15 15:56:59 49920 ----a-w- c:\windows\system32\dllcache\OLD177.tmp
2010-06-15 15:55:55 2189952 ----a-w- c:\windows\system32\dllcache\OLD80.tmp
2010-06-12 00:24:48 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-06-12 00:24:44 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-06-12 00:24:19 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-06-12 00:24:17 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-06-12 00:24:08 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-06-12 00:22:57 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-06-12 00:22:28 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-06-12 00:22:27 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-12 00:22:26 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-12 00:22:25 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys
2010-06-12 00:22:24 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-12 00:21:18 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2010-06-12 00:20:53 149376 ----a-w- c:\windows\system32\dllcache\tffsport.sys
2010-06-12 00:20:10 15232 ----a-w- c:\windows\system32\dllcache\streamip.sys
2010-06-12 00:19:25 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2010-06-12 00:18:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2010-06-12 00:18:59 16000 ----a-w- c:\windows\system32\dllcache\smbbatt.sys
2010-06-12 00:18:43 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2010-06-12 00:17:43 11520 ----a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-06-12 00:17:27 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-06-12 00:16:43 29696 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-06-12 00:16:42 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2010-06-12 00:16:27 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2010-06-11 22:27:39 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2010-06-11 22:27:21 159232 ----a-w- c:\windows\system32\dllcache\ptpusd.dll
2010-06-11 22:27:15 33280 ----a-w- c:\windows\system32\dllcache\psisrndr.ax
2010-06-11 22:27:08 363520 ----a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-06-11 22:27:00 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2010-06-11 22:26:53 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2010-06-11 22:26:06 259328 ----a-w- c:\windows\system32\dllcache\perm3dd.dll
2010-06-11 22:26:05 28032 ----a-w- c:\windows\system32\dllcache\perm3.sys
2010-06-11 22:26:04 211584 ----a-w- c:\windows\system32\dllcache\perm2dll.dll
2010-06-11 22:26:02 27904 ----a-w- c:\windows\system32\dllcache\perm2.sys
2010-06-11 22:24:28 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-06-11 22:24:08 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-06-11 22:23:45 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys
2010-06-11 22:23:44 85248 ----a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-06-11 22:22:57 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2010-06-11 22:22:56 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-06-11 22:22:45 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2010-06-11 22:22:35 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2010-06-11 22:22:35 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-06-11 22:22:25 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2010-06-11 22:22:07 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2010-06-11 22:21:38 7040 ----a-w- c:\windows\system32\dllcache\ltotape.sys
2010-06-11 22:21:17 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-11 22:21:11 91136 ----a-w- c:\windows\system32\dllcache\kswdmcap.ax
2010-06-11 22:21:11 43008 ----a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-06-11 22:21:10 61952 ----a-w- c:\windows\system32\dllcache\kstvtune.ax
2010-06-11 22:21:06 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll
2010-06-11 22:21:05 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2010-06-11 22:20:48 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-06-11 22:20:33 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2010-06-11 22:20:31 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2010-06-11 22:20:30 88192 ----a-w- c:\windows\system32\dllcache\irda.sys
2010-06-11 22:20:29 16384 ----a-w- c:\windows\system32\dllcache\ipsink.ax
2010-06-11 22:19:29 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2010-06-11 22:17:54 20352 ----a-w- c:\windows\system32\dllcache\hidbatt.sys
2010-06-11 22:17:49 28288 ----a-w- c:\windows\system32\dllcache\grserial.sys
2010-06-11 22:17:43 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2010-06-11 22:17:43 10624 ----a-w- c:\windows\system32\dllcache\gameenum.sys
2010-06-11 22:15:06 20992 ----a-w- c:\windows\system32\dllcache\dshowext.ax
2010-06-11 22:14:58 206976 ----a-w- c:\windows\system32\dllcache\dot4.sys
2010-06-11 22:14:53 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys
2010-06-11 22:13:48 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2010-06-11 22:13:35 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
2010-06-11 22:13:31 13952 ----a-w- c:\windows\system32\dllcache\cmbatt.sys
2010-06-11 22:13:21 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-06-11 22:13:16 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-06-11 22:13:10 121856 ----a-w- c:\windows\system32\dllcache\camext30.dll
2010-06-11 22:12:29 18432 ----a-w- c:\windows\system32\dllcache\bdaplgin.ax
2010-06-11 22:12:29 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2010-06-11 22:12:26 14208 ----a-w- c:\windows\system32\dllcache\battc.sys
2010-06-11 22:12:21 13696 ----a-w- c:\windows\system32\dllcache\avcstrm.sys
2010-06-11 22:12:20 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-06-11 22:11:47 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-06-11 22:11:47 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-06-11 22:11:45 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-06-11 21:10:00 0 d-----w- c:\program files\Windows Installer Clean Up
2010-06-09 15:52:36 0 d-----w- c:\program files\SIW
2010-06-09 11:21:15 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 13:37:29 0 d-----w- C:\ComboFix
2010-06-08 12:47:28 0 d-----w- c:\program files\Trend Micro
2010-06-07 19:51:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-07 16:39:20 0 d-----w- c:\program files\UVsoftium
2010-06-07 16:12:33 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
2010-06-04 15:33:51 0 d-----w- c:\docume~1\admini~1\applic~1\MSNInstaller
2010-06-03 15:12:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-03 15:10:53 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 14:50:25 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-06-03 12:45:26 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-05-18 20:04:16 0 d-----w- c:\program files\Sophos
2010-05-18 19:40:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-05-18 19:01:24 389120 ----a-w- c:\windows\system32\CF19661.exe
2010-05-18 18:05:32 0 d-sha-r- C:\cmdcons
2010-05-18 17:57:29 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 17:57:29 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 17:57:29 161792 ----a-w- c:\windows\SWREG.exe
2010-05-18 17:57:28 98816 ----a-w- c:\windows\sed.exe
2010-05-18 14:21:20 0 d-----w- c:\windows\system32\scripting
2010-05-18 14:21:20 0 d-----w- c:\windows\l2schemas
2010-05-18 14:21:19 0 d-----w- c:\windows\system32\en
2010-05-18 14:21:19 0 d-----w- c:\windows\system32\bits
2010-05-18 14:16:20 0 d-----w- c:\windows\network diagnostic
2010-05-18 13:34:28 0 d-----w- c:\program files\NirSoft
2010-05-17 18:32:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-05-17 18:14:45 69 ----a-w- C:\Failsafe_AutoRestart_5_Min.bat
2010-05-17 17:56:17 0 d-----w- C:\25ef07623efa06cb208256be55e7
2010-05-17 16:44:59 70 ----a-w- C:\Failsafe_AutoRestart.bat
2010-05-17 16:36:33 0 d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn
2010-05-17 16:36:28 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-05-17 16:36:28 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2010-05-17 16:36:28 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-05-17 16:36:28 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-05-17 16:36:23 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-17 16:36:23 87352 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2010-05-17 16:36:11 0 d-----w- c:\program files\LogMeIn
2010-05-17 12:01:49 0 ----a-w- C:\t19s.1

==================== Find3M ====================

2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-26 15:30:22 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 11:43:30 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2007-04-17 14:42:38 190 ----a-w- c:\program files\common files\psasetup.log

============= FINISH: 12:38:33.43 ===============

+++End DDS.TXT+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Attached Files


Edited by Orange Blossom, 16 June 2010 - 06:54 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 21 June 2010 - 02:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 21 June 2010 - 02:57 PM

Will comply as soon as I'm able, but wont' be before June 28.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 23 June 2010 - 03:59 PM

Ok smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 27 June 2010 - 03:33 AM

Bump for myself smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 29 June 2010 - 08:19 PM

Hi Schrauber,

Thanks for your help. The requested info is enclosed. Let me also note a couple of points that may be pertinent:

1. Regarding GMER, the "Preparation Guide..." gives explicit instructions about de-selecting some specific settings ("We now need to configure GMER to not use some settings...."). Your latest request does not include those instructions so I have not applied them; The encosed (attached) results were made using GMER's default settings.

2. I had quite a challenge getting the PC to run GMER. It would run for quite a time (several minutes, even hours), producing results on the screen, but then screen would become static. At that point I'd check the PC's status and find it to be froze-up, or perform erratically (be assured: all 'real-time active protection' was disabled). Ultimately I ran GMER in Safe Mode, with success. NOTE, however, that the results produced under Safe Mode (based on on-screen display) were much lower in volume than the prior, failed attempts. I fear that the log file will provide little help.

3. The "Prep Guide..." cautions against use of ComboFix until instructed. Sorry, I already used it well before consulting BleepingComputer. I hope that doesn't throw a wrench in the works.

4. DDS and GMER data was provided previously, but all within this posting is UPDATED data -- new program downloads; new runs/scans; new results.

Thanks Again,
Pete

=================
Following is DDS.TXT data
=================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:49:01.45 on Sun 06/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.343 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D64CF6D4-45DF-4D8F-9F14-E65FADF2777C} - hxxp://www.dvrstation.com/pdvratl.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {C1EAE66C-8126-4171-91DC-A90AEB70B996} = 8.8.8.8,8.8.4.4
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z9j82dqo.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbguard.exe [2004-12-13 65536]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-17 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-23 24652]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbserver.exe [2004-12-13 1527893]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\vvrusb.sys --> c:\windows\system32\drivers\VVRUSB.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]

=============== Created Last 30 ================

2010-06-15 16:36:43 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-06-12 00:24:48 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-06-12 00:24:44 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-06-12 00:24:19 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-06-12 00:24:17 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-06-12 00:24:08 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-06-12 00:22:57 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-06-12 00:22:28 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-06-12 00:22:27 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-12 00:22:26 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-12 00:22:25 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys
2010-06-12 00:22:24 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-12 00:21:18 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2010-06-12 00:20:53 149376 ----a-w- c:\windows\system32\dllcache\tffsport.sys
2010-06-12 00:20:10 15232 ----a-w- c:\windows\system32\dllcache\streamip.sys
2010-06-12 00:19:25 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2010-06-12 00:18:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2010-06-12 00:18:59 16000 ----a-w- c:\windows\system32\dllcache\smbbatt.sys
2010-06-12 00:18:43 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2010-06-12 00:17:43 11520 ----a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-06-12 00:17:27 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-06-12 00:16:43 29696 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-06-12 00:16:42 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2010-06-12 00:16:27 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2010-06-11 22:27:39 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2010-06-11 22:27:21 159232 ----a-w- c:\windows\system32\dllcache\ptpusd.dll
2010-06-11 22:27:15 33280 ----a-w- c:\windows\system32\dllcache\psisrndr.ax
2010-06-11 22:27:08 363520 ----a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-06-11 22:27:00 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2010-06-11 22:26:53 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2010-06-11 22:26:06 259328 ----a-w- c:\windows\system32\dllcache\perm3dd.dll
2010-06-11 22:26:05 28032 ----a-w- c:\windows\system32\dllcache\perm3.sys
2010-06-11 22:26:04 211584 ----a-w- c:\windows\system32\dllcache\perm2dll.dll
2010-06-11 22:26:02 27904 ----a-w- c:\windows\system32\dllcache\perm2.sys
2010-06-11 22:24:28 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-06-11 22:24:08 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2010-06-11 22:23:45 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys
2010-06-11 22:23:44 85248 ----a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-06-11 22:22:57 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2010-06-11 22:22:56 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2010-06-11 22:22:45 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2010-06-11 22:22:35 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2010-06-11 22:22:35 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-06-11 22:22:25 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2010-06-11 22:22:07 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2010-06-11 22:21:38 7040 ----a-w- c:\windows\system32\dllcache\ltotape.sys
2010-06-11 22:21:17 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-11 22:21:11 91136 ----a-w- c:\windows\system32\dllcache\kswdmcap.ax
2010-06-11 22:21:11 43008 ----a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-06-11 22:21:10 61952 ----a-w- c:\windows\system32\dllcache\kstvtune.ax
2010-06-11 22:21:06 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll
2010-06-11 22:21:05 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2010-06-11 22:20:48 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2010-06-11 22:20:33 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2010-06-11 22:20:31 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2010-06-11 22:20:30 88192 ----a-w- c:\windows\system32\dllcache\irda.sys
2010-06-11 22:20:29 16384 ----a-w- c:\windows\system32\dllcache\ipsink.ax
2010-06-11 22:19:29 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2010-06-11 22:17:54 20352 ----a-w- c:\windows\system32\dllcache\hidbatt.sys
2010-06-11 22:17:49 28288 ----a-w- c:\windows\system32\dllcache\grserial.sys
2010-06-11 22:17:43 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2010-06-11 22:17:43 10624 ----a-w- c:\windows\system32\dllcache\gameenum.sys
2010-06-11 22:15:06 20992 ----a-w- c:\windows\system32\dllcache\dshowext.ax
2010-06-11 22:14:58 206976 ----a-w- c:\windows\system32\dllcache\dot4.sys
2010-06-11 22:14:53 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys
2010-06-11 22:13:48 249856 ----a-w- c:\windows\system32\dllcache\ctmasetp.dll
2010-06-11 22:13:35 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
2010-06-11 22:13:31 13952 ----a-w- c:\windows\system32\dllcache\cmbatt.sys
2010-06-11 22:13:21 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-06-11 22:13:16 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-06-11 22:13:10 121856 ----a-w- c:\windows\system32\dllcache\camext30.dll
2010-06-11 22:12:29 18432 ----a-w- c:\windows\system32\dllcache\bdaplgin.ax
2010-06-11 22:12:29 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2010-06-11 22:12:26 14208 ----a-w- c:\windows\system32\dllcache\battc.sys
2010-06-11 22:12:21 13696 ----a-w- c:\windows\system32\dllcache\avcstrm.sys
2010-06-11 22:12:20 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-06-11 22:11:47 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-06-11 22:11:47 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-06-11 22:11:45 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-06-11 21:10:00 0 d-----w- c:\program files\Windows Installer Clean Up
2010-06-09 15:52:36 0 d-----w- c:\program files\SIW
2010-06-09 11:21:15 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 13:37:29 0 d-----w- C:\ComboFix
2010-06-08 12:47:28 0 d-----w- c:\program files\Trend Micro
2010-06-07 19:51:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-07 16:39:20 0 d-----w- c:\program files\UVsoftium
2010-06-07 16:12:33 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
2010-06-04 15:33:51 0 d-----w- c:\docume~1\admini~1\applic~1\MSNInstaller
2010-06-03 15:12:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-03 15:10:53 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 14:50:25 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-06-03 12:45:26 0 d-sh--w- c:\documents and settings\administrator\IETldCache

==================== Find3M ====================

2010-06-11 16:34:25 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-11 16:34:23 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-11 16:34:23 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-05-18 19:01:13 389120 ----a-w- c:\windows\system32\CF19661.exe
2010-05-17 18:14:45 69 ----a-w- C:\Failsafe_AutoRestart_5_Min.bat
2010-05-17 16:44:59 70 ----a-w- C:\Failsafe_AutoRestart.bat
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-26 15:30:22 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 11:43:30 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\wmvcore.dll
2007-04-17 14:42:38 190 ----a-w- c:\program files\common files\psasetup.log

============= FINISH: 15:50:05.71 ===============


=================
Following is GMER.log data
=================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 17:55:41
Windows 5.1.2600 Service Pack 3
Running: rjjood4e.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtdipog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat F65BED20

---- Threads - GMER 1.0.15 ----

Thread System [4:224] 867A1641

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\AutoConvertTo@ {00020803-0000-0000-C000-000000000046}

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by MiEggy, 29 June 2010 - 08:28 PM.


#7 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 30 June 2010 - 05:47 AM

Hi Schrauber,

Here is new GMER Log data. After I wrote my previous post I re-checked status of 'real-time active protection'. Checking the Processes, I found msmpeng.exe to still be running [Windows Defender / Security Essentials]. I stopped the process and was able to run GMER successfully outside of Safe Mode. Results are enclosed below.

Thanks,
Pete

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-30 06:37:44
Windows 5.1.2600 Service Pack 3
Running: rjjood4e.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtdipog.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF5E83F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe[392] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0117B8F9
.text C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe[392] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0117B485
.text C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe[392] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0117B7AA
.text C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe[392] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0117B564
.text C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe[392] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0117B637
.text C:\WINDOWS\System32\alg.exe[452] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C9B8F9
.text C:\WINDOWS\System32\alg.exe[452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C9B485
.text C:\WINDOWS\System32\alg.exe[452] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C9B7AA
.text C:\WINDOWS\System32\alg.exe[452] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C9B564
.text C:\WINDOWS\System32\alg.exe[452] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C9B637
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1560] WS2_32.dll!closesocket 00D03E2B 5 Bytes JMP 0E76B8F9
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1560] WS2_32.dll!send 00D04C27 5 Bytes JMP 0E76B485
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1560] WS2_32.dll!WSARecv 00D04CB5 5 Bytes JMP 0E76B7AA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1560] WS2_32.dll!recv 00D0676F 5 Bytes JMP 0E76B564
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1560] WS2_32.dll!WSASend 00D068FA 5 Bytes JMP 0E76B637
.text C:\WINDOWS\system32\wdfmgr.exe[1696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A2B8F9
.text C:\WINDOWS\system32\wdfmgr.exe[1696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A2B485
.text C:\WINDOWS\system32\wdfmgr.exe[1696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A2B7AA
.text C:\WINDOWS\system32\wdfmgr.exe[1696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A2B564
.text C:\WINDOWS\system32\wdfmgr.exe[1696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A2B637
.text C:\WINDOWS\system32\wuauclt.exe[1880] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 029BB8F9
.text C:\WINDOWS\system32\wuauclt.exe[1880] WS2_32.dll!send 71AB4C27 5 Bytes JMP 029BB485
.text C:\WINDOWS\system32\wuauclt.exe[1880] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 029BB7AA
.text C:\WINDOWS\system32\wuauclt.exe[1880] WS2_32.dll!recv 71AB676F 5 Bytes JMP 029BB564
.text C:\WINDOWS\system32\wuauclt.exe[1880] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 029BB637
.text C:\WINDOWS\Explorer.EXE[2132] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0186B8F9
.text C:\WINDOWS\Explorer.EXE[2132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0186B485
.text C:\WINDOWS\Explorer.EXE[2132] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0186B7AA
.text C:\WINDOWS\Explorer.EXE[2132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0186B564
.text C:\WINDOWS\Explorer.EXE[2132] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0186B637

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\AutoConvertTo@ {00020803-0000-0000-C000-000000000046}

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 03 July 2010 - 02:21 AM

Hello, MiEggy
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 06 July 2010 - 08:20 AM

Hello Tom,

Thanks for your help. Attached is C:\ComboFix.txt.

I look forward to your reply, and hearing what you learn from this info!

Thanks Again,
Pete

Attached Files



#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 10 July 2010 - 05:17 AM

Hi,

Please don't attach the logfiles, just post it here in the thread smile.gif



Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 12 July 2010 - 10:27 AM

Hi Tom,

Thanks for your help. A bit of a twist in this update. HelpAsst did not report MBR infection, but did report other issues ("termsrv32.dll present! ~ attempting to remove"). Before proceeding with the next step you described ("*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter. mbr -f"), I would like to get your reaffirmation that that action is indeed appropriate. Please let me know.

HelpAsst.Log is enclosed below. It is the log file created after running HelpAsst -mbrt (step 5 below). I retained the original log file, created after the initial run of HelpAsst (step 1 below), and will provide it at your request.

In case it is helpful, here is exact sequence I executed:
1. Run HelpAsst as described (observed no indication of MBR infection)
2. Reboot; Wait 5 minutes.
3. Test for hijack - confirmed to still exist.
4. Make backup copy of HelpAsst.log file.
5. Run HelpAsst -mbrt
6. Reboot; Wait 5 minutes
7. Test for hijack - confirmed to still exist.


Please let me know if you have questions or need more info. I look forward to your response.

Thanks,
Pete

PS - My prior attempt to 'enclose' 232KB log file from ComboFix was rejected by BleepingComputer web site due to large size, forcing me to use 'attach'. I will continue to 'enclose' future versions when possible.


C:\Documents and Settings\Administrator\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Mon 07/12/2010 at 10:25:55.90

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3635:TCP"=-
"5770:TCP"=-
"3389:TCP"=-
"7367:TCP"=-
"7368:TCP"=-
"9476:TCP"=-
"9477:TCP"=-
"8866:TCP"=-
"8867:TCP"=-
"1753:TCP"=-
"2006:TCP"=-
"4506:TCP"=-
"7512:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3635:TCP"=-
"5770:TCP"=-
"3389:TCP"=-
"7367:TCP"=-
"7368:TCP"=-
"9476:TCP"=-
"9477:TCP"=-
"8866:TCP"=-
"8867:TCP"=-
"1753:TCP"=-
"2006:TCP"=-
"4506:TCP"=-
"7512:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2062763002-2612141192-3955493945-1006
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 07/12/2010 at 10:59:49.93

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85B3D78A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-2062763002-2612141192-3955493945-1006
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7512:TCP"=7512:TCP:*:Enabled:Services
"4506:TCP"=4506:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"7512:TCP"=7512:TCP:*:Enabled:Services
"4506:TCP"=4506:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 14 July 2010 - 01:13 PM

Hi,



You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

fixmbr

type exit and hit enter, boot back into normal windows.



Please run the complete mebroot fix instructions again and post back with the logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 MiEggy

MiEggy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 July 2010 - 04:20 PM

Recovery Console is installed. I used it recently, before beginning work with BleepingComputer. Now, however, when I try to boot to Recovery Console the system goes to BSoD.

Advise, please blink.gif

Thanks!
Pete

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 16 July 2010 - 12:42 PM

Please try it with this CD:


You can also go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:44 AM

Posted 19 July 2010 - 10:55 AM

Still with me?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users