Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE keeps redirecting


  • This topic is locked This topic is locked
11 replies to this topic

#1 jameseng

jameseng

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 July 2010 - 11:32 AM

I run Spy Bot Search and Destroy on my computer. About 4 days ago a window popped up and asked if I wanted to install a security program - I closed everything and now I am having problems. When I run google search it will redirect the webpage. If I click on the cached link then I get the correct webpage. I have run Spy Bot and Norton AV. The AV found a couple of files that it fixed. The scan is clean now. However - I still get redirects. Spy Bot reports clean as well.

I also tried to restore to an earlier date but that did not work either.

Here are the file outputs as outlined in the preparation guide.

Thanks for any help I can get on this!

DDS and GMER log below. Attached is the attach file.

I have run defogger and disabled the CD emulation.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:20:40.10 on Sat 07/17/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.496 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LoadMSvcmm] "c:\program files\blockbuster\blockbustermovielink\Movielink User.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2007-10-11 106176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\naveng.sys [2010-7-14 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\navex15.sys [2010-7-14 1362608]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\seasyncservices.exe" --> c:\program files\seagate\sync\SeaSyncServices.exe [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10910.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10910.sys [?]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi9.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [?]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2007-9-16 17376]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-1-24 76416]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2010-1-31 7548]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-6-26 57856]

=============== Created Last 30 ================

2010-07-18 01:17:47 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-17 20:08:07 0 d-----w- c:\program files\Wise Registry Cleaner 3
2010-07-17 18:25:25 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-17 18:25:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 18:25:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-17 18:25:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 18:25:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 17:30:48 0 d-----w- c:\program files\Trend Micro
2010-07-14 23:44:59 38480 ------w- c:\windows\system32\IJRMF.exe
2010-07-14 23:25:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-14 23:24:20 0 d-----w- c:\program files\NCH Swift Sound
2010-07-14 23:24:19 0 d-----w- c:\program files\Softonic-Eng7
2010-07-14 23:24:12 0 d-----w- c:\program files\Conduit
2010-07-12 01:59:24 120 ----a-w- c:\windows\Bxisuwaq.dat
2010-07-12 01:59:24 0 ----a-w- c:\windows\Hzixanejobecebep.bin
2010-06-27 01:57:11 0 d-----w- c:\docume~1\owner\applic~1\PureEdge
2010-06-27 01:56:07 0 d-----w- c:\program files\IBM
2010-06-27 01:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PureEdge
2010-06-27 01:32:01 68224 ----a-w- c:\temp\S3XXx64.sys
2010-06-27 01:32:01 57856 ----a-w- c:\windows\system32\drivers\SCR3XX2K.sys
2010-06-27 01:32:01 57856 ----a-w- c:\temp\SCR3XX2K.sys
2010-06-27 01:29:06 7680 ----a-r- c:\temp\STCFUx32.sys
2010-06-27 01:29:06 45056 ----a-w- c:\temp\Sx33XRES.dll
2010-06-27 01:29:06 32768 ----a-w- c:\temp\SCR3310S_V526.bin
2010-06-27 01:29:06 245760 ----a-w- c:\temp\FwUpdate.exe
2010-06-27 01:29:06 155648 ----a-w- c:\temp\FIOSx33x.dll
2010-06-27 01:29:06 106496 ----a-w- c:\temp\FwResorc.dll
2010-06-27 01:29:06 10240 ----a-r- c:\temp\STCFUx64.sys
2010-06-25 22:19:51 0 d-----w- c:\program files\EA Games
2010-06-21 00:46:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Movielink
2010-06-21 00:45:53 0 d-----w- c:\program files\Blockbuster

==================== Find3M ====================

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-02-11 03:19:49 150 -c--a-w- c:\program files\MacHbkVersionsInfo.txt
2008-08-29 00:58:00 117901 -c--a-w- c:\program files\jerry182985.bbcd
2003-08-29 19:12:00 61440 -c--a-w- c:\windows\inf\i386\Viz7300.dll
2003-08-29 19:12:00 17376 -c--a-w- c:\windows\inf\i386\Gt680x.sys
2009-02-13 03:11:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021220090213\index.dat

============= FINISH: 19:22:37.02 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-18 10:14:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 89C7E0E8 ZwAlertResumeThread
SSDT 89C7E0B0 ZwAlertThread
SSDT 89DC2758 ZwAllocateVirtualMemory
SSDT 89D58EF0 ZwConnectPort
SSDT 89C7FB08 ZwCreateMutant
SSDT 89D50E88 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA5721350]
SSDT 89C74858 ZwFreeVirtualMemory
SSDT 89C7FA30 ZwImpersonateAnonymousToken
SSDT 89C7E490 ZwImpersonateThread
SSDT 89C87490 ZwMapViewOfSection
SSDT 89C840A0 ZwOpenEvent
SSDT 89C749E0 ZwOpenProcessToken
SSDT 89C7D5F0 ZwOpenThreadToken
SSDT 89CB96F0 ZwQueryValueKey
SSDT 89C79E48 ZwResumeThread
SSDT 89C7D768 ZwSetContextThread
SSDT 89C74560 ZwSetInformationProcess
SSDT 89C7D8E0 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA5721580]
SSDT 89C85268 ZwSuspendProcess
SSDT 89C7DBD0 ZwSuspendThread
SSDT 89C750C0 ZwTerminateProcess
SSDT 89C7DA58 ZwTerminateThread
SSDT 89C746E8 ZwUnmapViewOfSection
SSDT 89D930A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 239C 80501BD4 8 Bytes CALL 30D9E3B9
.text ntkrnlpa.exe!ZwCallbackReturn + 2798 80501FD0 4 Bytes CALL 3CD9E71B
.rsrc C:\WINDOWS\system32\drivers\pcmcia.sys entry point in ".rsrc" section [0xB9F65614]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\svchost.exe[1304] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3408] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89EC3EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\90403E1900063D11C8EF10054038389C\Usage@OutlookMAPI2 1022428673
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\90403E1900063D11C8EF10054038389C\Usage@OUTLOOKFiles 1022432902
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\90403E1900063D11C8EF10054038389C\Usage@ProductFiles 1022428742
Reg HKLM\SOFTWARE\Classes\CLSID\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}\InProcServer32@iajcpchpnknpcbbckm 0x61 0x61 0x00 0x00
Reg HKLM\SOFTWARE\Classes\CLSID\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}\InProcServer32@iajcpchpnkhjefjogg 0x61 0x61 0x00 0x00
Reg HKLM\SOFTWARE\Classes\CLSID\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}\InProcServer32@jajcdoemcbhebjkheaai 0x6A 0x61 0x65 0x70 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}\InProcServer32@iajcnngkmknlcfgcmi 0x6A 0x61 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}@hahdipfebddjdbbc 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}@hahdipfepbffdjjg 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}@iadkkgpfboonmfaipp 0x6A 0x61 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0F0E99F5-154F-CD2E-C8DA-C9C7F4E6DEA7}@hancmfenibegkffp 0x6A 0x61 0x65 0x70 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pcmcia.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 18 July 2010 - 02:49 PM

Good evening. smile.gif

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop - this is important.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Close all open programs as a reboot may be required.
  • Go to Start > Run, copy and paste the following into the text box and hit OK:

    "%userprofile%\desktop\tdsskiller\TDSSKiller.exe" -l report.txt

  • A Command Window will open and the tool will scan and produce a log called report.txt that can be found in the TDSSKiller folder that you unzipped.
  • If the tool prompts for a reboot, please allow it to do so; if it fails to reboot after prompting, reboot manually
Please post the contents of the log, report.txt, in your next reply and let me know if the PC is still misbehaving.

So long, and thanks for all the fish.

 

 


#3 jameseng

jameseng
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 July 2010 - 06:54 PM

Noviciate,

Thank you for the reply. I downloaded TDSSKiller and ran it - by double clicking instead of using the command prompt (run) - I know RTFI! Sorry about that. It did find a rootkit(?) and it did fix it but I don't have the report. The redirect has stopped though and IE seems to be running correctly. Should I run anything else - and this time I will RTFI :-)

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 19 July 2010 - 02:56 PM

Good evening. smile.gif

ARGGHHHHHHH!!!!! ohmy.gif Your PC may very well self-destruct in the next ten seconds - or then again it may not. dance.gif

The run command just put the log somewhere easy to access, but running the file as you did still creates a log. If you look at the root of your hard drive, you'll find a file similarly named to this: C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt. I'll take the contents in your next reply if I may.

So long, and thanks for all the fish.

 

 


#5 jameseng

jameseng
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 19 July 2010 - 06:20 PM

Found it - thanks!

Good thing programmers account for ID ten T errors :-)

17:40:52:723 2064 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
17:40:52:723 2064 ================================================================================
17:40:52:723 2064 SystemInfo:

17:40:52:723 2064 OS Version: 5.1.2600 ServicePack: 3.0
17:40:52:723 2064 Product type: Workstation
17:40:52:723 2064 ComputerName: LAPTOP
17:40:52:723 2064 UserName: Owner
17:40:52:723 2064 Windows directory: C:\WINDOWS
17:40:52:723 2064 System windows directory: C:\WINDOWS
17:40:52:723 2064 Processor architecture: Intel x86
17:40:52:723 2064 Number of processors: 1
17:40:52:723 2064 Page size: 0x1000
17:40:52:723 2064 Boot type: Normal boot
17:40:52:723 2064 ================================================================================
17:40:53:174 2064 Initialize success
17:40:53:184 2064
17:40:53:184 2064 Scanning Services ...
17:40:53:735 2064 Raw services enum returned 386 services
17:40:53:745 2064
17:40:53:745 2064 Scanning Drivers ...
17:40:55:447 2064 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
17:40:55:497 2064 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:40:55:557 2064 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:40:55:567 2064 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
17:40:55:607 2064 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:40:55:648 2064 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
17:40:55:688 2064 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:40:55:718 2064 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
17:40:55:798 2064 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
17:40:55:868 2064 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:40:55:908 2064 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:40:55:938 2064 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:40:55:958 2064 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:40:56:018 2064 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:40:56:058 2064 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:40:56:078 2064 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:40:56:108 2064 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:40:56:138 2064 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:40:56:178 2064 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:40:56:208 2064 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:40:56:238 2064 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:40:56:258 2064 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:40:56:308 2064 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
17:40:56:359 2064 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:40:56:459 2064 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:40:56:529 2064 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:40:56:559 2064 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:40:56:609 2064 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
17:40:56:649 2064 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:40:56:669 2064 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:40:56:709 2064 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:40:56:739 2064 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:40:56:799 2064 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:40:56:819 2064 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:40:56:859 2064 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:40:56:899 2064 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:40:56:939 2064 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
17:40:56:969 2064 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:40:56:989 2064 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:40:57:019 2064 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:40:57:100 2064 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
17:40:57:240 2064 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:40:57:280 2064 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:40:57:320 2064 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:40:57:420 2064 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:40:57:500 2064 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:40:57:560 2064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:40:57:600 2064 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:40:57:630 2064 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:40:57:670 2064 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:40:57:791 2064 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
17:40:58:171 2064 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
17:40:58:482 2064 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:40:58:552 2064 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:40:58:582 2064 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:40:58:632 2064 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:40:58:662 2064 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:40:58:732 2064 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:40:58:762 2064 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:40:58:802 2064 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:40:58:872 2064 GT680xNT (39272946cc027ee9717166876f913f51) C:\WINDOWS\system32\drivers\gt680x.sys
17:40:58:922 2064 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:40:58:952 2064 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:40:59:012 2064 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
17:40:59:092 2064 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
17:40:59:143 2064 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
17:40:59:243 2064 HSFHWICH (68329f53ebfd34abf268c42d98c830f3) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
17:40:59:313 2064 HSF_DP (7bbc0d5900a1fc9f69fa0950a149a1c6) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
17:40:59:433 2064 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:40:59:463 2064 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:40:59:503 2064 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:40:59:533 2064 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:40:59:623 2064 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
17:40:59:783 2064 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:40:59:824 2064 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:40:59:854 2064 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:40:59:894 2064 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:40:59:924 2064 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:40:59:984 2064 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:41:00:014 2064 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:41:00:064 2064 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:41:00:094 2064 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:41:00:134 2064 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:41:00:174 2064 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:41:00:204 2064 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:41:00:264 2064 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:41:00:334 2064 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
17:41:00:404 2064 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:41:00:504 2064 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:41:00:575 2064 Mach3 (f072f46087476f7fbaa7d5638ff4581c) C:\WINDOWS\system32\Drivers\Mach3.sys
17:41:00:655 2064 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:41:00:705 2064 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
17:41:00:755 2064 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:41:00:825 2064 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:41:00:855 2064 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:41:00:905 2064 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:41:00:945 2064 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:41:00:965 2064 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:41:01:005 2064 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:41:01:105 2064 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:41:01:236 2064 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
17:41:01:276 2064 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:41:01:316 2064 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:41:01:356 2064 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:41:01:406 2064 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:41:01:456 2064 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:41:01:466 2064 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
17:41:01:506 2064 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
17:41:01:556 2064 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
17:41:01:596 2064 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:41:01:756 2064 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100714.002\naveng.sys
17:41:01:896 2064 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100714.002\navex15.sys
17:41:02:057 2064 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:41:02:107 2064 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:41:02:137 2064 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:41:02:167 2064 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:41:02:217 2064 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:41:02:257 2064 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
17:41:02:287 2064 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:41:02:347 2064 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:41:02:387 2064 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:41:02:417 2064 NmPar (79ea5a1b343db2f5187758e00195d9bd) C:\WINDOWS\system32\DRIVERS\NmPar.sys
17:41:02:467 2064 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:41:02:527 2064 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:41:02:698 2064 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:41:02:848 2064 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:41:02:938 2064 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:41:02:968 2064 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:41:03:008 2064 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:41:03:028 2064 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
17:41:03:098 2064 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:41:03:118 2064 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:41:03:168 2064 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:41:03:228 2064 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:41:03:399 2064 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:41:03:429 2064 Pcmcia (05c64396faeeac84a6527790ee8ee135) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
17:41:03:429 2064 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pcmcia.sys. Real md5: 05c64396faeeac84a6527790ee8ee135, Fake md5: 9e89ef60e9ee05e3f2eef2da7397f1c1
17:41:03:429 2064 File "C:\WINDOWS\system32\DRIVERS\pcmcia.sys" infected by TDSS rootkit ... 17:41:07:815 2064 Backup copy found, using it..
17:41:07:855 2064 will be cured on next reboot
17:41:08:055 2064 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:41:08:085 2064 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:41:08:125 2064 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:41:08:155 2064 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:41:08:206 2064 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:41:08:246 2064 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:41:08:266 2064 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:41:08:306 2064 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:41:08:336 2064 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:41:08:366 2064 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:41:08:396 2064 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:41:08:446 2064 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:41:08:466 2064 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:41:08:506 2064 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:41:08:536 2064 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:41:08:596 2064 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:41:08:636 2064 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:41:08:676 2064 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:41:08:726 2064 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
17:41:08:776 2064 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:41:08:846 2064 rmedia (2f94c9237cefa1305f0c3cd9bb2e803e) C:\WINDOWS\system32\DRIVERS\rmedia.sys
17:41:08:997 2064 RTL8023 (29f9879a1fd386f7251ae9fdadb2cbf1) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
17:41:09:047 2064 samhid (e618ff4e0c5756e1ec9f8c22c2201e7f) C:\WINDOWS\system32\drivers\samhid.sys
17:41:09:147 2064 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
17:41:09:177 2064 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
17:41:09:227 2064 SCR3XX2K (b590c6b740a85130e88d35d007691eb4) C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys
17:41:09:287 2064 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:41:09:347 2064 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
17:41:09:397 2064 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:41:09:598 2064 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:41:09:648 2064 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:41:09:718 2064 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:41:09:758 2064 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:41:09:838 2064 smwdm (f41896d591106713649b7eba668324e6) C:\WINDOWS\system32\drivers\smwdm.sys
17:41:09:888 2064 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:41:10:008 2064 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
17:41:10:148 2064 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:41:10:178 2064 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:41:10:238 2064 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
17:41:10:299 2064 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:41:10:339 2064 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:41:10:369 2064 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:41:10:399 2064 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:41:10:429 2064 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:41:10:539 2064 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
17:41:10:599 2064 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
17:41:10:639 2064 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
17:41:10:769 2064 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:41:10:809 2064 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:41:10:869 2064 SynTP (b6396adc5b0aa50e20e7a7169843af59) C:\WINDOWS\system32\DRIVERS\SynTP.sys
17:41:10:919 2064 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:41:10:990 2064 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:41:11:050 2064 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:41:11:080 2064 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:41:11:120 2064 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:41:11:160 2064 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:41:11:180 2064 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:41:11:210 2064 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:41:11:290 2064 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:41:11:440 2064 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
17:41:11:480 2064 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:41:11:540 2064 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:41:11:570 2064 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:41:11:610 2064 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:41:11:641 2064 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:41:11:691 2064 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:41:11:731 2064 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:41:11:761 2064 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:41:11:781 2064 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:41:11:841 2064 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:41:11:861 2064 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:41:12:011 2064 VX3000 (bd32d7007cb505d3b1c29e3d0ef2a46a) C:\WINDOWS\system32\DRIVERS\VX3000.sys
17:41:12:251 2064 w22n51 (4c009d4352849d79bf347846b6e03bfd) C:\WINDOWS\system32\DRIVERS\w22n51.sys
17:41:12:472 2064 w29n51 (f0608f3b5b6d16f4870e867f9d069b6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
17:41:12:632 2064 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:41:12:752 2064 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:41:12:842 2064 winachsf (e010c2588ed1c0ad0e8188ec0f46ced6) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:41:13:143 2064 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
17:41:13:613 2064 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:41:13:804 2064 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:41:13:894 2064 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:41:13:934 2064 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:41:13:944 2064 Reboot required for cure complete..
17:41:14:495 2064 Cure on reboot scheduled successfully
17:41:14:495 2064
17:41:14:495 2064 Completed
17:41:14:495 2064
17:41:14:495 2064 Results:
17:41:14:495 2064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:41:14:495 2064 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:41:14:495 2064
17:41:14:495 2064 KLMD(ARK) unloaded successfully

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 20 July 2010 - 01:34 PM

Good evening. smile.gif

I think we'll have a little peek at the hard drive, just to make sure:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 jameseng

jameseng
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 20 July 2010 - 08:50 PM

Here are the Malwarebytes and DDS logs. Malwarebytes found 4 infected files but I left them as is since they were in the system volume information\restore. The system seems to be running perfect - no redirects or anything. Thanks for taking the time to look at this!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4322

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/20/2010 7:40:38 PM
mbam-log-2010-07-20 (19-40-38).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 246223
Time elapsed: 1 hour(s), 34 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP529\A0191850.rbf (Spyware.Passwords) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP576\A0203031.exe (Trojan.Agent.Gen) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP576\A0203166.dll (Trojan.Agent.Gen) -> No action taken.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP576\A0203167.exe (Trojan.FakeAlert) -> No action taken.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:44:32.98 on Tue 07/20/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.568 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LoadMSvcmm] "c:\program files\blockbuster\blockbustermovielink\Movielink User.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2007-10-11 106176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\naveng.sys [2010-7-14 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\navex15.sys [2010-7-14 1362608]
S2 Seagate Sync Service;Seagate Sync Service;"c:\program files\seagate\sync\seasyncservices.exe" --> c:\program files\seagate\sync\SeaSyncServices.exe [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10910.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10910.sys [?]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi9.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [?]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2007-9-16 17376]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2010-1-24 76416]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2010-1-31 7548]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-6-26 57856]

=============== Created Last 30 ================

2010-07-19 18:08:12 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-18 01:17:47 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-17 20:08:07 0 d-----w- c:\program files\Wise Registry Cleaner 3
2010-07-17 18:25:25 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-17 18:25:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 18:25:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-17 18:25:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 18:25:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 17:30:48 0 d-----w- c:\program files\Trend Micro
2010-07-14 23:44:59 38480 ------w- c:\windows\system32\IJRMF.exe
2010-07-14 23:25:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-14 23:24:20 0 d-----w- c:\program files\NCH Swift Sound
2010-07-14 23:24:19 0 d-----w- c:\program files\Softonic-Eng7
2010-07-14 23:24:12 0 d-----w- c:\program files\Conduit
2010-07-12 01:59:24 120 ----a-w- c:\windows\Bxisuwaq.dat
2010-07-12 01:59:24 0 ----a-w- c:\windows\Hzixanejobecebep.bin
2010-06-27 01:57:11 0 d-----w- c:\docume~1\owner\applic~1\PureEdge
2010-06-27 01:56:07 0 d-----w- c:\program files\IBM
2010-06-27 01:56:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PureEdge
2010-06-27 01:32:01 68224 ----a-w- c:\temp\S3XXx64.sys
2010-06-27 01:32:01 57856 ----a-w- c:\windows\system32\drivers\SCR3XX2K.sys
2010-06-27 01:32:01 57856 ----a-w- c:\temp\SCR3XX2K.sys
2010-06-27 01:29:06 7680 ----a-r- c:\temp\STCFUx32.sys
2010-06-27 01:29:06 45056 ----a-w- c:\temp\Sx33XRES.dll
2010-06-27 01:29:06 32768 ----a-w- c:\temp\SCR3310S_V526.bin
2010-06-27 01:29:06 245760 ----a-w- c:\temp\FwUpdate.exe
2010-06-27 01:29:06 155648 ----a-w- c:\temp\FIOSx33x.dll
2010-06-27 01:29:06 106496 ----a-w- c:\temp\FwResorc.dll
2010-06-27 01:29:06 10240 ----a-r- c:\temp\STCFUx64.sys
2010-06-25 22:19:51 0 d-----w- c:\program files\EA Games

==================== Find3M ====================

2010-07-18 23:42:38 120192 ----a-w- c:\windows\system32\drivers\pcmcia.sys
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-02-11 03:19:49 150 -c--a-w- c:\program files\MacHbkVersionsInfo.txt
2008-08-29 00:58:00 117901 -c--a-w- c:\program files\jerry182985.bbcd
2003-08-29 19:12:00 61440 -c--a-w- c:\windows\inf\i386\Viz7300.dll
2003-08-29 19:12:00 17376 -c--a-w- c:\windows\inf\i386\Gt680x.sys
2009-02-13 03:11:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021220090213\index.dat

============= FINISH: 19:45:30.26 ===============




#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 21 July 2010 - 03:05 PM

Good evening. smile.gif

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\windows\Bxisuwaq.dat
c:\windows\Hzixanejobecebep.bin


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#9 jameseng

jameseng
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 21 July 2010 - 09:18 PM

Hello again!

Below is the permalink for c:\windows\Bxisuwaq.dat:

http://virusscan.jotti.org/en/scanresult/1...d561c1e77bb2618

The other file reported zero bytes.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 22 July 2010 - 02:14 PM

Good evening. smile.gif

I guess we'll trust the scanners and leave them alone. You're about done, apart from a little housekeeping:

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three:

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I see that you have a registry cleaner installed, Wise Registry Cleaner 3 Free 3.73, and have used another recently, Advanced Registry Optimizer 2010. Given the potential for disaster if things don't go according to plan in the registry, I tend to stay out unless I have a very good reason to play. The benefits don't ever justify the risks where reg cleaners are concerned, so i'd forget about them if I were you.

I once heard a doctor on the topic of cotton buds say that you should stick nothing smaller than your elbow in your ear, and the same sort of approach to registry cleaners is generally advisable.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

As time goes on System Restore overwrites old Restore Points as it is allowed a limited amount of space to store them in. The detections that MBAM identified will eventually disappear, so unless you use an infected Restore Point from before the shiny new one you'll create shortly, they pose no risk.
As Restore Points works like a chain, removing an item may damage that chain and affect this handy safety net, so we like to leave things alone in there.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#11 jameseng

jameseng
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 22 July 2010 - 06:24 PM

Noviciate,

Thanks a million for all the help. Looking at your name I wouldn't say your a novice or in the stage of the novitiate :-)

I ran java update, installed firewall and deleted the cotton buds. I created a restore point today and will do another one in a few days.

I'll also get smarter on keeping my computer SAFE! You never think it'll happen to you until one day - BAM!

Thanks again!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:27 PM

Posted 25 July 2010 - 02:41 PM

As this issue appears resolved this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users