Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser redirect - Backdoor.Tdss.565

  • Please log in to reply
5 replies to this topic

#1 annmeris


  • Members
  • 40 posts
  • Local time:07:55 AM

Posted 14 July 2010 - 11:40 PM

This is my last computer that I'm working on. I've gone a lttle far based on what I learned with the other 2 computers.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Administrator at 12:09:04.73 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.406 [GMT -7:00]

AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page = hxxp://www.msn.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
uRun: [PhotoshopElementsSyncAgent] "c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsSyncAgent.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1217270550218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-24 214664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-24 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-24 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-24 144704]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.3\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-6-24 1201640]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-24 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-2-24 81920]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-24 34248]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\drivers\rcblan.sys [2009-8-28 39704]

=============== Created Last 30 ================

2010-07-14 19:01:22 0 d-----w- C:\malwarefold
2010-07-14 17:15:38 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 16:06:47 0 d-sha-r- C:\cmdcons
2010-07-14 16:02:43 98816 ----a-w- c:\windows\sed.exe
2010-07-14 16:02:43 77312 ----a-w- c:\windows\MBR.exe
2010-07-14 16:02:43 256512 ----a-w- c:\windows\PEV.exe
2010-07-14 16:02:43 161792 ----a-w- c:\windows\SWREG.exe
2010-07-13 05:38:13 0 d-----w- c:\docume~1\compaq~1\applic~1\AVS4YOU
2010-07-13 05:33:52 0 d-----w- c:\program files\common files\AVSMedia
2010-07-13 05:25:09 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-07-13 05:25:05 0 d-----w- c:\program files\AVS4YOU
2010-07-13 05:25:05 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-07-05 21:17:58 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable
2010-07-05 20:23:36 0 d-----w- c:\program files\Runtime Software
2010-06-30 21:12:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-27 01:56:58 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-27 01:56:57 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-27 01:56:56 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-27 01:56:56 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-27 01:56:50 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-27 01:56:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-06-25 05:36:11 1563008 ----a-w- c:\windows\WRSetup.dll
2010-06-25 05:36:11 0 d-----w- c:\program files\Webroot
2010-06-25 05:36:11 0 d-----w- c:\docume~1\compaq~1\applic~1\Webroot
2010-06-25 05:36:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-06-25 05:32:14 164 ----a-w- c:\windows\install.dat
2010-06-25 04:30:07 0 d-----w- c:\docume~1\compaq~1\applic~1\Registry Mechanic
2010-06-18 17:07:25 224 ----a-w- c:\windows\system32\9B13A86D.plf
2010-06-18 17:07:00 0 d-----w- c:\docume~1\compaq~1\applic~1\ParetoLogic
2010-06-18 17:04:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Cached Installations
2010-06-18 16:38:59 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure

==================== Find3M ====================

2010-07-14 17:58:52 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-07-29 20:37:32 64850917 ----a-w- c:\program files\Intuit.zip
2007-01-22 05:32:34 3570688 --sha-r- c:\program files\ehthumbs.db
2006-09-10 20:18:16 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-04-23 15:51:04 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 12:10:42.29 ===============

I've uploaded Attach

Gmer was a disaster below is scan1 of Gmer

GMER - http://www.gmer.net
Rootkit quick scan 2010-07-14 13:35:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\fxldypob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF1CC3788]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF1CC37C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF1CC3710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF1CC3724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF1CC379C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF1CC37DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF1CC37B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 85D20D18

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 85D20D18

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 85D20D18

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 85D20D18

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I've uploaded Tddskiller log

I've uploaded Hijack this log

I've uploaded combofix log

The rootrepeal log is following; There are things in there I know need to be fixed. How??? Thanks

ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2010/07/14 19:57
Program Version: Version
Windows Version: Windows XP Media Center Edition SP3

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1B9F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: root1repeal.sys
Image Path: C:\WINDOWS\system32\drivers\root1repeal.sys
Address: 0xEDF98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_gyq9bm9hu6kkwnf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_zfuqcy7js5donjx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_jfla3gofw3plaij
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_51fqihymaorcp7q
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_97sydjhwkr6zswm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.3\mssql\log\log_762.trc
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\all users\application data\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.16.crwl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86183be8

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x861e0360

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86115248

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x861151d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86183eb8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x861c6080

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x861152c0

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86183c60

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x86183af8

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x861ca208

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86183d50

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86189d10

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86183fa8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86183dc8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x861670a8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86183f30

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86183cd8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86115158

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86183e40

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86183b70

Stealth Objects
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x85d50a68 Size: 1437

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85d50708 Size: 2301

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x85d50690 Size: 2421

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x85d50618 Size: 2541

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x85d4ea88 Size: 287

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85d4ea10 Size: 407

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85d4e998 Size: 527

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x85d4e638 Size: 171

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x85d4e5c0 Size: 291

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85d4e548 Size: 411

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85d4dd18 Size: 744

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85d4dca0 Size: 864

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85d4dc28 Size: 984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85d4d8c8 Size: 1848

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85d4d850 Size: 1968

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85d4d7d8 Size: 2088

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85d4d478 Size: 2952

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85d4d400 Size: 3072

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x85d4d388 Size: 3192

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85d4cfa8 Size: 93

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85d4cf30 Size: 213

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85d4ceb8 Size: 333

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x85d4b970 Size: 265

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85d4b8f8 Size: 385

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85d4b880 Size: 505

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85d4b4d0 Size: 1449

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85d4b458 Size: 1569

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x85d4b3e0 Size: 1689

Shadow SSDT
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85913798

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8603a570

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x859c8830

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x85d7be38

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x85cc80c0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x85f420c0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8604fb38

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x85db1870

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x85a7a0c0


I know this is a lot, but I really need to get this done.... crazy.gif

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • Gender:Male
  • Location:@localhost
  • Local time:08:55 AM

Posted 15 July 2010 - 07:31 PM

Hi again,

Those logs look ok. Looks like it the 3rd time you ran combofix. Root kit utilities can show lots of normal processes. TDSSkiller didnt remove anything. You can download and run Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?

#3 annmeris

  • Topic Starter

  • Members
  • 40 posts
  • Local time:07:55 AM

Posted 16 July 2010 - 09:21 AM

Here's computer 3's Malwarebytes log:

Malwarebytes' Anti-Malware 1.46

Database version: 4314

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/16/2010 3:14:48 AM
mbam-log-2010-07-16 (03-14-48).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 341879
Time elapsed: 2 hour(s), 38 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What next? maybe I should guess.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • Gender:Male
  • Location:@localhost
  • Local time:08:55 AM

Posted 16 July 2010 - 08:11 PM

What next?

Hows the re-direction?

How Can I Reduce My Risk to Malware?

#5 annmeris

  • Topic Starter

  • Members
  • 40 posts
  • Local time:07:55 AM

Posted 16 July 2010 - 11:25 PM

no redirects. I ran Eset, there were 4 infections.

Eset log

C:\Documents and Settings\All Users\Documents\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\Program Files\Registry Well\RegistryWell.exe probably a variant of Win32/Adware.RegistryEasy application cleaned by deleting - quarantined
D:\i386\APPS\APP16427\src\CompaqPresario_Spring06.exe a variant of Win32/AdInstaller application deleted - quarantined
D:\i386\APPS\APP16427\src\HPPavillion_Spring06.exe a variant of Win32/AdInstaller application deleted - quarantined


The D drive is HP's partition for restoring the computer to it's orginal configuration (recovery).

Your thoughts please.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,675 posts
  • Gender:Male
  • Location:@localhost
  • Local time:08:55 AM

Posted 18 July 2010 - 09:22 AM

Those two files in your D drive may be false positives. It looks like they are from HP and part of the original installation files. In any case it looks like Eset deleted or quarantined them.
The SmitfraudFix is a legit tool you must have used at one time. Some AV may flag the utilities in some tools as " a risk or hack tool" when they are not.
Looks like we are making progress.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users