Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Re-Direct (I think)


  • This topic is locked This topic is locked
14 replies to this topic

#1 BigBledd

BigBledd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 23 July 2010 - 09:05 AM

Hello,

Some time ago the 'Security Threat Analysis' started to load up. I closed it via task manager and I thought it had been eradicated. I then started to be bounced to random sites when searching via my google web browser. Every time I clicked on a result it would bounce me to a series of sites like 'Ask Jeeves, News-11-today, Jiggle' just totally random stuff.

Intermitently the security threat analysis pops pops up and I close it via task manager.

I have attempted to initiate a system restore but it will not go back prior to June which I believe is part of the virus.

There is also a constant process running as the cursor flicks to an egg timer every couple of seconds and I can hear the computer running and working hard all the time.

I have followed the instructions but the GMER log ran right through then the pc automatically restarted and the log was lost.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bleddyn at 13:25:41.29 on 23/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.990.124 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Bleddyn\Desktop\dds.scr

============== Running Processes ===============

C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Bleddyn\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: {074C1DC5-9320-4A9A-947D-C042949C6216} - No File
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [sjhfgvek] c:\documents and settings\bleddyn\local settings\application data\payqxpjnq\ghtdbsjtssd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{9A87C090-48AA-5DD5-59F6-FBA26DA91B34}] "c:\documents and settings\bleddyn\application data\ynidpi\ynypu.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [sjhfgvek] c:\documents and settings\bleddyn\local settings\application data\payqxpjnq\ghtdbsjtssd.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - No File
SEH: {1168FF97-E851-4661-9589-FF785012E0D9} - No File

Note: multiple IFEO entries found. Please refer to Attach.txt

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-28 214664]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-28 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-28 34248]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-3-3 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-3-3 8320]

=============== Created Last 30 ================

2010-07-23 12:10:25 0 ----a-w- c:\documents and settings\bleddyn\defogger_reenable
2010-07-20 17:11:17 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-20 17:11:16 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-20 17:11:16 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-20 17:11:14 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-06-08 15:32:34 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-06-08 15:32:34 23552 ----a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-26 14:58:12 256512 ----a-w- c:\windows\PEV.exe
2009-04-30 19:09:29 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009043020090501\index.dat

============= FINISH: 13:28:31.31 ===============

Attach.txt is in the attaAttached File  Attach.txt   12.08KB   1 downloadschment

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 31 July 2010 - 07:07 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 01 August 2010 - 02:49 PM

Hi Mole,

Yes I am here and I look forward to hearing from you.

Cheers

BigBledd

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 01 August 2010 - 05:18 PM

There's some very recognisable malware on the logs. Before we go after that let's make sure that something else hasn't been done to the system.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 02 August 2010 - 02:09 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 141):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7BC3000 \WINDOWS\system32\KDCOM.DLL
0xF7AD3000 \WINDOWS\system32\BOOTVID.dll
0xF7674000 ACPI.sys
0xF7BC5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7663000 pci.sys
0xF76C3000 isapnp.sys
0xF76D3000 ohci1394.sys
0xF76E3000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7AD7000 compbatt.sys
0xF7ADB000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C8B000 pciide.sys
0xF7943000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7BC7000 intelide.sys
0xF7BC9000 viaide.sys
0xF7BCB000 aliide.sys
0xF7645000 pcmcia.sys
0xF76F3000 MountMgr.sys
0xF7626000 ftdisk.sys
0xF7ADF000 ACPIEC.sys
0xF7C8C000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF794B000 PartMgr.sys
0xF7703000 VolSnap.sys
0xF760E000 atapi.sys
0xF7713000 disk.sys
0xF7723000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF75EE000 fltmgr.sys
0xF75DC000 sr.sys
0xF757F000 mfehidk.sys
0xF7733000 PxHelp20.sys
0xF7568000 KSecDD.sys
0xF7555000 WudfPf.sys
0xF74C8000 Ntfs.sys
0xF749B000 NDIS.sys
0xF7743000 serial.sys
0xF7481000 Mup.sys
0xF7953000 BTHidMgr.sys
0xF77A3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7433000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF69CA000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF69B6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7A43000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6992000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A4B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6980000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF6670000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF77C3000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF665B000 \SystemRoot\system32\drivers\tifm21.sys
0xF6647000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF77D3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A53000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6619000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7C33000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A5B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77E3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77F3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7803000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF65F6000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7A63000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF65B2000 \SystemRoot\system32\drivers\camchal.sys
0xF656A000 \SystemRoot\system32\drivers\camcaud.sys
0xF6546000 \SystemRoot\system32\drivers\portcls.sys
0xF7813000 \SystemRoot\system32\drivers\drmk.sys
0xF6515000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF6416000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF636F000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7A6B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6B51000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7D03000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF635B000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF7823000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6B49000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6344000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7833000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7843000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A73000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6333000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7853000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF630F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF62C4000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7A7B000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A83000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7A8B000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF7873000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C3B000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF623E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B7B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7883000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xF7893000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF61C2000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF78E3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7913000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xEE12F000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xF7C71000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DA0000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C73000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7ABB000 \SystemRoot\System32\drivers\vga.sys
0xF7C75000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C77000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7AC3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7ACB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF742B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE0FC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE0A3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE090000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xEE042000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEE01A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDFF8000 \SystemRoot\System32\drivers\afd.sys
0xF7933000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7973000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xEDFCD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDF5D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6B08000 \SystemRoot\System32\Drivers\Fips.SYS
0xF6AF8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6AE8000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7C79000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xF6A78000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE07C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A13000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7DB7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E4000 \SystemRoot\System32\ialmdnt5.dll
0xBF9D6000 \SystemRoot\System32\ialmrnt5.dll
0xBFA04000 \SystemRoot\System32\ialmdev5.DLL
0xBFA28000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEDD1E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEDAE1000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7C7B000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF7BD3000 \SystemRoot\System32\Drivers\MASPINT.SYS
0xED94A000 \SystemRoot\system32\DRIVERS\srv.sys
0xEDA79000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xED592000 \SystemRoot\system32\drivers\cfwids.sys
0xED371000 \SystemRoot\system32\drivers\wdmaud.sys
0xED66A000 \SystemRoot\system32\drivers\sysaudio.sys
0xECD61000 \SystemRoot\System32\Drivers\HTTP.sys
0xECBE3000 \SystemRoot\system32\drivers\mfeapfk.sys
0xECAFF000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
1036 C:\WINDOWS\system32\smss.exe
1148 csrss.exe
1172 C:\WINDOWS\system32\winlogon.exe
1220 C:\WINDOWS\system32\services.exe
1232 C:\WINDOWS\system32\lsass.exe
1384 C:\WINDOWS\system32\svchost.exe
1452 svchost.exe
1508 C:\WINDOWS\system32\svchost.exe
1612 C:\WINDOWS\system32\svchost.exe
1696 svchost.exe
1796 svchost.exe
2016 C:\WINDOWS\system32\spoolsv.exe
224 svchost.exe
260 C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
288 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
308 C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
332 C:\Program Files\Bonjour\mDNSResponder.exe
408 svchost.exe
532 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
712 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
796 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
992 C:\WINDOWS\system32\svchost.exe
1044 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1848 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
3240 C:\WINDOWS\explorer.exe
3476 C:\WINDOWS\system32\igfxtray.exe
3504 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
3512 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3532 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
3548 C:\WINDOWS\system32\rundll32.exe
3564 C:\Program Files\Real\RealPlayer\realplay.exe
3572 C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
3596 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
3768 C:\Program Files\McAfee.com\Agent\mcagent.exe
3800 C:\Program Files\iTunes\iTunesHelper.exe
3808 C:\WINDOWS\system32\ctfmon.exe
3840 C:\Program Files\FinePixViewer\QuickDCF.exe
3044 C:\WINDOWS\system32\vssvc.exe
3348 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
2292 alg.exe
2168 C:\Program Files\iPod\bin\iPodService.exe
1568 C:\WINDOWS\system32\svchost.exe
3520 C:\Program Files\Internet Explorer\iexplore.exe
2440 C:\Program Files\Internet Explorer\iexplore.exe
2944 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
3456 C:\Program Files\Internet Explorer\iexplore.exe
3776 C:\Documents and Settings\Bleddyn\Local Settings\Temporary Internet Files\Content.IE5\WU91N3K0\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST94019A, Rev: 5.11

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 02 August 2010 - 06:16 PM

No problem there. smile.gif


Please run Combofix so we can remove the malware on your PC

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 03 August 2010 - 09:27 AM

Hiya,

Here is the log from Combofix.

Cheers!

BigBledd

Attached Files

  • Attached File  log.txt   26.49KB   2 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 03 August 2010 - 02:10 PM

TDSS rootkit and quite an unusual amount of system file infection.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\documents and settings\Default User\Start Menu\Programs\Startup\seuvl.exe

Folder::
c:\documents and settings\Bleddyn\Application Data\Upzi
c:\documents and settings\Bleddyn\Local Settings\Application Data\payqxpjnq

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sjhfgvek"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sjhfgvek"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 04 August 2010 - 06:34 AM

Hi M0le,

All done here's the log thumbup2.gif

Cheers

BigBledd

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 04 August 2010 - 05:24 PM

How's the redirections? Still getting them?
Posted Image
m0le is a proud member of UNITE

#11 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 05 August 2010 - 08:21 AM

Mr M0le,

They appear to have stopped!

Is that me clean of infections now?

If so, any advice on how to stay clean in the future?

Thank you so much

Bledd clapping.gif

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 05 August 2010 - 08:41 AM

One more scan to remove remnants and then I will give you a whole heap of advice laugh.gif
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 BigBledd

BigBledd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 07 August 2010 - 11:03 AM

Hi M0le,

Here is the ESET Scan.

Scary set of results!!!!!!

Cheers

Bledd

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 07 August 2010 - 05:14 PM

Yes, it looks scary but it isn't.

The first three are in Combofix's quarantine and the remainder are sitting in the System Restore folder. Why? Because if you used the system restore (as is often touted as a solution) it would reinfect you all over again. ESET takes them out of most logs I work on. thumbup2.gif

In short,...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  1. Reopen on your desktop.
  2. Click on
  3. You will be prompted to reboot your system. Please do so.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.


------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it BigBledd, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 11 August 2010 - 07:30 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users