Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eset blocking web sites possible malware?


  • This topic is locked This topic is locked
21 replies to this topic

#1 !Potter!

!Potter!

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 23 July 2010 - 04:05 PM

Hi,

I think i have got a infection on my pc and I can't get rid of it. I have been running Eset for some time now and haven't had any problems so far.

I logged on to the computer yesterday and started getting messages saying eset had blocked access to webpages and ip address very similar to a previous post (http://www.bleepingcomputer.com/forums/topic330759.html) except its blocking websites like lkolha71gg.cc 213.163.89.106:80 and a74232357.cn 213.1163.89.107:80

eset found 8 files on a full system scan that have been moved to quarantine that were found in documents and settings\dean\application data\sun\java\deployment\cache\6.0\ (invarious folders)

I have run malwarebytes anti-malware and eset again and no threats have been found despite the computer still blocking various web sites.

I have put the dds log on here, but when i run the GMER file after about a hour and a half the compter crashes and boots back tot he windows welcome log on screen so i can't attach that log. I feel like I'm stuck.

any help would be great and really appreciated.

thanks in advance



DDS (Ver_10-03-17.01) - NTFSx86
Run by Dean at 17:45:18.00 on 23/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1983.1434 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\dllhost.exe
svchost.exe
C:\WINDOWS\system32\lxcdcoms.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Documents and Settings\Dean\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0cb59d0c-4a96-4fc5-b8bd-29af4a0ee3e2} - Internet Explorer Plugin
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [LXCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCDtime.dll,_RunDLLEntry@16
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [<NO NAME>]
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_11\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: adobe.com\www
Trusted Zone: microsoft.com\www.update
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxp://download.yahoo.com/dl/installs/bt/yregucfg.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163077641682
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {3C4FFAAE-04BA-494A-9099-D1C744272AAD} - rundll32 bilmux2.dll,laspi

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-25 1047880]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S2 FlexService;Remote Connections Service;"c:\program files\rapidbit\cisvc.exe" --> c:\program files\rapidbit\cisvc.exe [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-13 136176]
S3 miniusb;FrameManager Display Adapter;c:\windows\system32\drivers\sam_miniusb.sys --> c:\windows\system32\drivers\sam_miniusb.sys [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-4-14 14424]
S3 SODI;SODI;c:\windows\system32\drivers\sam_miniport.sys --> c:\windows\system32\drivers\sam_miniport.sys [?]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-1-14 11520]
S3 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-1 1251720]

=============== Created Last 30 ================

2010-07-23 15:21:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-07-23 07:31:16 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 10:42:33 0 d-----w- C:\UP!
2010-07-21 10:16:54 0 d-----w- c:\docume~1\dean\applic~1\BEC7B8CB8076D584F2DF604FB1848D84
2010-07-14 09:23:45 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-30 08:39:38 0 d-----w- c:\docume~1\dean\applic~1\AVS4YOU
2010-06-30 08:37:23 0 d-----w- c:\program files\common files\AVSMedia
2010-06-30 08:36:27 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-06-30 08:36:27 0 d-----w- c:\program files\AVS4YOU
2010-06-30 08:36:27 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU

==================== Find3M ====================

2010-06-17 18:48:45 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2006-11-11 11:40:20 22 -csha-w- c:\windows\sminst\HPCD.sys
2010-02-09 23:00:42 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020920100210\index.dat

============= FINISH: 17:47:01.87 ===============


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 31 July 2010 - 09:14 AM

Hello !Potter!

Welcome to BleepingComputer smile.gif
==========================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 03 August 2010 - 02:12 AM

Hi Kahdah,

Thanks for getting back to me. Firstly i had a friend who ran the program "tdskiller" on this laptop. Many apologies for him jumping the gun, but i have included the log file as an attachment it did find one file infected and cleaned in 'cdrom.sys' but i'm not sure if the computer is fully clean.

I re-downloaded gmer and ran it without it crashing the computer this time. i have attached the log.

The computer is now not trying to redirect to other web pages and because eset had become corrupt i have reinstalled over the original installation to ensure this is working correctly.

thanks again.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-02 22:05:01
Windows 5.1.2600 Service Pack 3
Running: ftpd.exe; Driver: C:\DOCUME~1\Dean\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xF6763610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7354112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73332D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73334C8]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xF6763C10]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7354900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7354BB4]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xF6763730]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7352E12]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xF67634B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xF6763570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xF67636D0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7355020]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xF6763690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xF6763650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xF67637D0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73543D2]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xF6763510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xF6763590]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7332F44]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xF67635D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xF6763750]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF581D360, 0x225D9D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[604] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs B8BC9400

---- EOF - GMER 1.0.15 ----

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 03 August 2010 - 06:14 AM

Ok.
  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it then hit any key to continue.
  4. Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  5. Please post the contents of that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 03 August 2010 - 06:47 AM

Hi,

thanks for the speedy reply. smile.gif

I downloaded the program and the log is as follows:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 157):
0x804D7000 \WINDOWS\system32\TUKERNEL.EXE
0x80721000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7446000 fltmgr.sys
0xF7418000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7407000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF798D000 viaide.sys
0xF798F000 aliide.sys
0xF73E9000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF73CA000 ftdisk.sys
0xF7991000 dmload.sys
0xF73A4000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF738C000 atapi.sys
0xF7373000 nvata.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7361000 sr.sys
0xF7328000 PCTCore.sys
0xF74F7000 PxHelp20.sys
0xF7311000 KSecDD.sys
0xF72FE000 WudfPf.sys
0xF7271000 Ntfs.sys
0xF7244000 NDIS.sys
0xF7507000 Serial.sys
0xF722A000 Mup.sys
0xF6A78000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7933000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7937000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF6A68000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7827000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF793B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF5B7F000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF57FA000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF57E6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF794F000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0xF782F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF57C2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7837000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6A58000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF57AA000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xF6A48000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6A38000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5787000 \SystemRoot\system32\DRIVERS\ks.sys
0xF783F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF575F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7957000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF5714000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF56DD000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF6A28000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7847000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF56AD000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79E5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF784F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF6A18000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0xF7B9B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF5C18000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF797B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5328000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF5C08000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF5BF8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7717000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5317000 \SystemRoot\system32\DRIVERS\psched.sys
0xF5BE8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF772F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7737000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF52E7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7687000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5261000 \SystemRoot\system32\DRIVERS\update.sys
0xF71F2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7617000 \SystemRoot\system32\DRIVERS\zebrceb.sys
0xF79F1000 \SystemRoot\system32\DRIVERS\zebrwh.sys
0xF71EA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7697000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7527000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF21FB000 \SystemRoot\system32\drivers\CHDAud.sys
0xF21D7000 \SystemRoot\system32\drivers\portcls.sys
0xF7587000 \SystemRoot\system32\drivers\drmk.sys
0xF1EFA000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xF1E08000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF1D56000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF779F000 \SystemRoot\System32\Drivers\Modem.SYS
0xEFD7E000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A3D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEF3F1000 \SystemRoot\System32\Drivers\Null.SYS
0xF0ABF000 \SystemRoot\System32\Drivers\Beep.SYS
0xED337000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0xEF29F000 \SystemRoot\System32\drivers\vga.sys
0xF096B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF0969000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEF297000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEF28F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF0967000 \SystemRoot\system32\drivers\XTVFSRec.sys
0xEFD6A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xED01B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xECFC2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xECFB0000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
0xEC1A3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xED0DC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEF664000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEC24F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEC22D000 \SystemRoot\System32\drivers\afd.sys
0xED0CC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEF69E000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0xEF65C000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xEC202000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEC435000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xED0BC000 \SystemRoot\System32\Drivers\Fips.SYS
0xECFA8000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xEC948000 \SystemRoot\system32\drivers\hpfxbulk.sys
0xECFA0000 \SystemRoot\system32\drivers\HPFXGEN.SYS
0xED06C000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xEC944000 \SystemRoot\system32\DRIVERS\Dot4Scan.sys
0xEC940000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xECF98000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xEBAF4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEBADB000 \SystemRoot\System32\Drivers\dump_nvata.sys
0xF79C7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEFD6E000 \SystemRoot\System32\drivers\Dxapi.sys
0xEFE06000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF1907000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB91ED000 \SystemRoot\system32\DRIVERS\eamon.sys
0xB91CB000 \SystemRoot\system32\DRIVERS\epfw.sys
0xED295000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB918E000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1983000 \SystemRoot\system32\drivers\sysaudio.sys
0xB90E4000 \SystemRoot\System32\drivers\aspi32.sys
0xB8F1F000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8EA0000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8F0B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB8CD1000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0xB8C9F000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0xF7A9B000 \??\C:\WINDOWS\system32\STEC3.sys
0xF0859000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xF7B57000 \??\C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
0xB883F000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF7867000 \??\C:\Program Files\peerblock\pbfilter.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
1536 C:\WINDOWS\system32\smss.exe
1728 csrss.exe
1760 C:\WINDOWS\system32\winlogon.exe
1872 C:\WINDOWS\system32\services.exe
1884 C:\WINDOWS\system32\lsass.exe
228 C:\WINDOWS\system32\svchost.exe
356 svchost.exe
396 C:\WINDOWS\system32\svchost.exe
436 C:\WINDOWS\system32\svchost.exe
704 svchost.exe
728 svchost.exe
1120 C:\WINDOWS\system32\spoolsv.exe
500 C:\WINDOWS\explorer.exe
936 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
944 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1008 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
1020 C:\Program Files\HP\QuickPlay\QPService.exe
1208 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1216 C:\Program Files\ESET\ESET Smart Security\egui.exe
1224 C:\Program Files\peerblock\peerblock.exe
1236 C:\WINDOWS\system32\ctfmon.exe
1640 C:\Program Files\Outlook Express\msimn.exe
280 msdtc.exe
1072 C:\Program Files\Bonjour\mDNSResponder.exe
1200 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
1028 C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
1608 C:\WINDOWS\ehome\ehrecvr.exe
1700 C:\WINDOWS\ehome\ehSched.exe
1716 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
2004 C:\Program Files\Java\jre6\bin\jqs.exe
224 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1592 C:\WINDOWS\system32\nvsvc32.exe
2000 C:\WINDOWS\system32\hpzipm12.exe
2064 svchost.exe
2088 C:\WINDOWS\system32\svchost.exe
2164 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2268 C:\WINDOWS\system32\TUProgSt.exe
2320 C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
2400 McrdSvc.exe
2440 C:\WINDOWS\system32\mqsvc.exe
2536 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
2932 C:\WINDOWS\system32\mqtgsvc.exe
3012 C:\WINDOWS\system32\lxcdcoms.exe
3312 C:\WINDOWS\system32\dllhost.exe
3400 wmiprvse.exe
4060 C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
1364 alg.exe
3560 C:\WINDOWS\system32\svchost.exe
1832 C:\WINDOWS\system32\wuauclt.exe
2996 C:\Program Files\Opera\opera.exe
632 C:\Documents and Settings\Dean\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000014`b345f200 (FAT32)

PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 892C

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F19F100B4DC860880BDC331CC9D56B1C13F605D5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 03 August 2010 - 06:55 AM

You are welcome.

Please do the following run the mbrcheck program once more and this time type in Y when prompted and number 1 at the next prompt.
WHne prompted to save the file as something type in smbr then hit enter.
This will produce a file called smbr on your desktop.
Then please submit the following file to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\Documents and Settings\Dean\Desktop\smbr

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 03 August 2010 - 07:31 AM

Hi,

yep done that but before mbrcheck.exe can go further it's next option is:

"enter the physical disk number to dump (0-99, -1 to exit):"

what should i put here?



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 03 August 2010 - 08:06 AM

Sorry type in the number 0 then hit Enter.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 03 August 2010 - 08:10 AM

Yeah sorry as well just looked above it - it was fairly obvious! doh!

this is what the online scan produced:

Jotti's malware scanFilename: smbr
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Tue 3 Aug 2010 15:05:50 (CET) Permalink

File size: 512 bytes
Filetype: x86 boot sector
MD5: 72013315a6d922e6d429ba4dd44201f3
SHA1: 2eee12dd1e1c32d24b566619c9fc4c0c4d7a633a


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 03 August 2010 - 12:45 PM

OK I would like to have a look at the file myself please.
Click Here to upload the file please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 04 August 2010 - 01:59 AM

Hi,

sorry for the delayed reply i left this computer at work. I have submitted the file althought it said "mysql server has gone away" and to notify you it has been sent. any problems let me know and i'll resend.

Thanks

Dean

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 04 August 2010 - 06:20 AM

Hmm I did not get it that ti,me can you please resend it.
Thank you.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 04 August 2010 - 06:31 AM

Hey,

tried again, seemed to send better this time.

Let me know if there is any problems receiving it.



#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:42 AM

Posted 04 August 2010 - 06:36 AM

Got it that time do you know if there is a recovery partition on the computer?
All the mbr dump says is mbr error.

Still no redirects or blocked sites?

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 !Potter!

!Potter!
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 04 August 2010 - 06:48 AM

Hi,

Yeah this is a hp dv6116 they come with a recovery partition in case of corruption in windows etc. was like it when i got it and it has about 10gb of the total hard disk.

no since tdskiller was run there has been no further redirects or blocked sites. on this computer and eset seems to be working fine now it has been re-installed.

before i reinstalled it eset had stopped showing on the task bar and kept coming up with windows errors every time i logged on saying eset wan't enabled and my computer was at risk, but when i clicked on eset from the start menu it said it was working fine.

does this mean things are ok now - or is there anything else to try?

thanks again.

Dean




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users