Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - misdirection, blocking, pop-ups etc


  • Please log in to reply
9 replies to this topic

#1 worths

worths

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 07 September 2010 - 10:40 PM

Hi there,

I hope you're well, and that you don't mind me asking for some help. Sorry for the blah Topic Title - I'm afraid I didn't know what to put. I'll give the best account of my woes thus far, and hope you can join the dots!

I'm a Mozilla Firefox user on Windows XP with AVG Anti-Virus Free, and started getting the odd pop-up a couple of weeks ago - but didn't think too much of it until Google started wildly misdirecting a few days back. Now, whenever I click on a search result, I am sent to the wrong site (if at all). Quite often no page loads, and there is a message saying 'Transferring from surveys.cnet.com' (or, occasionally, 'google-analytics.com'). I have found, however, that if I quickly double-click on the hit, I'm sometimes taken to the right page.

Next I noticed certain sites were plain inaccessible. The Guardian website (www.guardian.co.uk) was the first to go - and the most recent development is Gmail and Hotmail (which is making things particularly difficult).

When websites started being blocked, I decided to download Malwarebytes' Anti-Malware - but I can't open it. When this happened, I searched for other users with similar problems on Google, and (someone's got a sense of irony here) found that I couldn't open those pages. BleepingComputer was, mercifully, not one of them. (I've already fallen in love with this site, for what it's worth.)

Today, sadly, has been a real nosedive. I'm getting (what I assume are) spurious security messages in a speech bubble from an angry red circle with a white cross in my main toolbar. The message, which pops up every 45 seconds or so, reads:

"Click here to protect your computer from spyware!

Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you."

(Surely no-one uses that many exclamation marks?)

Then my computer started freezing, so I had to force a reboot. To my boundless joy, I was greeted with the following warm welcome:

"Windows Security Alert

Securuty Warning!

Worm.Win32.NetSky detected on your machine.
This virus is distributed via the Internet throught e-mail and Active-x objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself.
In worst cases worm can allow attachers to access your computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your computer.
Continue without unprotected mode is very dangerous.

Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista, 7
Security Risk (0-5): 5
Recomendations: It is necessary to perform a full system scan."

(The spelling mistakes, I feel pained to point out, are not my own. I particularly like 'Securuty'.)

Next up was a change of background - gone was my usual picture, replaced with a dark blue screen and a particularly aggressive message:

"YOUR SYSTEM IS INFECTED!

System has been stopped due to a serious malfunction. Spyware activity has been detected.

It is recommended to use spyware removal tool to prevent data loss. Do not run any application before all spyware removed."

For good measure, there's the odd error message about my 'Spooler Sub System'. I'm afraid I don't know what that is. Is it related? (If not, I'm sorry - and I apologise too for my utter lack of techno-savvy. I am, in at least one sense of the phrase, a total user.)

I have followed all the steps I can from your Preparation Guide. The DDS reports were no problem. Please find the attached part attached and the report part reported at the bottom of this message.

GMER, on the other hand, has been very sticky indeed. The first time I ran it, my computer froze within about five minutes. After another forced reboot and another GMER attempt (which seemed to throw up loads of logs - including some, from what I could tell, involving 'iexplorer'), everything froze again. This time, though, a very long DOS-style message came up (white text on dark blue) - but disappeared within a second or so. It was too fleeting for me to catch what it said.

I tried a third time, sitting through the entire thing to make sure I was watching closely (and to prevent screensavers or such things throwing any further spanners in the works). It took comfortably more than two hours, but seemed to finish successfully. I clicked 'Save' and everything froze. I tried to take down the details, but was thwarted once more ('Print Screen' was useless, and the window itself was then blanked out).

I'm going to try running it once more unsupervised, because I am beginning to fear for my sanity and would prescribe myself at least a couple of hours' sleep - so if I get the log through, I'll post it here tomorrow morning. Is there anything just from the screen that I can note down which would be useful information for you? (Again, I'm sure, a dim question - but surely worth asking? Do let me know if I can add further pieces for the jigsaw.)

Any help you could offer would be so very appreciated. I'm in the middle of searching and applying for jobs, so being cut off from e-mails is without doubt the worst result of all these malware nasties. It would be so good if you could help me out soon - but I appreciate you must be mega-busy. And, most importantly, I've got nothing but respect and gratitude for people such as yourselves who help others out. So, thank you in advance. I really do hope you can help me, and I really do hope it's clear what a grateful chap I'll be.

Please do also let me know if there's any more information I should provide. If I've left anything stultifyingly obvious out, please excuse me (and give me a friendly shove in the right direction).

All the very best -
Shaun
---


DDS (Ver_10-03-17.01) - NTFSx86
Run by Shaun at 0:31:19.33 on 08/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.45 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Shaun\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 93.188.163.182,93.188.166.182
TCP: {BCF8A1C5-5C78-41EB-BFD4-1926CBC7394E} = 93.188.163.182,93.188.166.182
TCP: {C48598AC-0867-44BF-8E91-C30FFEE67C62} = 93.188.163.182,93.188.166.182
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaun\applic~1\mozilla\firefox\profiles\1fp3prpr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-6 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-6 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]

=============== Created Last 30 ================

2010-09-07 22:56:55 0 ----a-w- c:\documents and settings\shaun\defogger_reenable
2010-09-01 00:09:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 00:09:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-01 00:09:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 00:09:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 23:57:28 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-07-16 10:41:34 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 10:41:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 10:40:20 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 0:33:44.02 ===============

Sorry - one other thing I meant to point out was that when the GMER scan did run successfully, there appeared to be far fewer logged items (and none involving 'iexplorer'). I don't know if that's relevant.

Also, in case it wasn't clear what I meant about noting stuff down from the screen was - is there anything that's worth scribbling before I attempt a save again, just in case I lose it all afresh?

Right, I'm starting to see about three of everything now - so it must be time to disappear.

Cheers again -
SW

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 07 September 2010 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:31 AM

Posted 13 September 2010 - 03:45 PM

hi worths,

Sorry for the delay, no shortage of posters. Your log is a few days old, If you still need help simply post back.

How Can I Reduce My Risk to Malware?


#3 worths

worths
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 14 September 2010 - 04:16 AM

Hi there,

Thanks for getting back to me - and no worries about the delay. I understand how busy you guys must be!

Yes please - would still fully appreciate any help you can offer. Oddly, some of the symptoms have abated (I can get on Gmail again, and some of the spoof warning bubbles have stopped popping up), but there's still wild misdirection and general foul play.

What's the next step?

Cheers -
Shaun

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:31 AM

Posted 14 September 2010 - 04:00 PM

Hi,

ok. We will get a download to use first. Its called combofix. After it is finished running try installing, updating and scanning with malwarebytes.

Combofix requires that you read through a guide first. Read the guide then apply the directions on your own machine. post the combofix log

Guide to using Combofix


Next:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.


How Can I Reduce My Risk to Malware?


#5 worths

worths
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 17 September 2010 - 01:08 PM

Hi there,

Sorry for the delay in getting back to you. I've downloaded ComboFix as instructed - and followed the guide as best I can (i.e. turned my AVG Anti-Virus 9.0.851 off, and disabled firewall through Microsoft Security Centre). But it won't run at all - in much the same way as nothing happened when I first tried to use Malwarebytes' Anti-Malware.

I hope I'm not being stupid and missing something crucial out. Hope you can help, and thanks again -
Shaun

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:31 AM

Posted 17 September 2010 - 08:09 PM

ok you can try running combofix in safe mode, we will also get another download. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list; safe mode. once at the safe mode desktop try running combofix. after combofix runs (or it dosnt) you can get the other download to use:
Its called TDSSkiller;

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

How Can I Reduce My Risk to Malware?


#7 worths

worths
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 18 September 2010 - 09:06 AM

Cool, cheers for that. I ran ComboFix in safe mode (meaning I couldn't download the recovery console - do I need to download that, and then run ComboFix again?).

After, I ran TDSS Killer in normal mode, then MBAM for good measure. Please find the logs below:

ComboFix:

ComboFix 10-09-16.07 - Shaun 18/09/2010 13:34:23.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.367 [GMT 1:00]
Running from: c:\documents and settings\Shaun\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USERINIT
-------\Service_userinit


((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-27 23:41 . 2010-09-27 23:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-07 23:20 . 2010-09-07 23:20 -------- d-----w- c:\documents and settings\Shaun\Local Settings\Application Data\WinZip
2010-09-07 22:26 . 2010-09-07 22:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-01 00:09 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 00:09 . 2010-09-01 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 00:09 . 2010-09-01 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 00:09 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 23:57 . 2010-08-27 23:57 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 23:01 . 2010-03-06 10:02 1 ----a-w- c:\documents and settings\Shaun\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-07 23:20 . 2010-03-18 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-25 12:23 . 2010-03-20 09:56 -------- d-----w- c:\documents and settings\Shaun\Application Data\Apple Computer
2010-08-04 22:33 . 2010-08-04 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-04 13:29 . 2010-08-04 13:29 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 10:41 . 2010-03-06 10:03 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 10:41 . 2010-07-16 10:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 10:40 . 2010-03-06 10:02 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2006-02-15 09:34 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-02-15 09:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2006-02-15 09:34 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-02-15 09:34 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 1589248]
"TPSMain"="TPSMain.exe" [2006-02-08 266240]
"NDSTray.exe"="NDSTray.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 10:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/03/2010 11:02 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/03/2010 11:03 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [16/07/2010 11:40 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 11:41 308136]
.
Contents of the 'Scheduled Tasks' folder

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Shaun\Application Data\Mozilla\Firefox\Profiles\1fp3prpr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 13:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82138ECC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf870df28
\Driver\ACPI -> ACPI.sys @ 0xf8680cb8
\Driver\atapi -> atapi.sys @ 0xf85f4852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf84eabb0
PacketIndicateHandler -> NDIS.sys @ 0xf84f7a21
SendHandler -> NDIS.sys @ 0xf84d587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1747573646-2887068797-1277232210-1005\Software\SecuROM\License information*]
"datasecu"=hex:6f,a8,11,e6,29,6f,40,1d,e9,07,ea,74,fc,de,c3,a1,f2,86,4b,51,13,
fd,3e,ce,fb,b7,14,03,37,d6,6b,82,7c,78,29,d9,40,d5,87,40,4d,c5,a0,55,b2,dc,\
"rkeysecu"=hex:63,9a,8e,98,b4,e5,38,3d,21,c6,59,d0,c7,fa,87,20
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\igfxext.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\TPSBattM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-18 13:53:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 12:53

Pre-Run: 22,002,880,512 bytes free
Post-Run: 22,259,167,232 bytes free

- - End Of File - - E2D37A5F0269F20EAC4CB2C16CFA85C5


TDSS Killer:

2010/09/18 14:05:24.0875 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/18 14:05:24.0875 ================================================================================
2010/09/18 14:05:24.0875 SystemInfo:
2010/09/18 14:05:24.0875
2010/09/18 14:05:24.0875 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/18 14:05:24.0875 Product type: Workstation
2010/09/18 14:05:24.0875 ComputerName: YOUR-8515743F73
2010/09/18 14:05:24.0875 UserName: Shaun
2010/09/18 14:05:24.0875 Windows directory: C:\WINDOWS
2010/09/18 14:05:24.0875 System windows directory: C:\WINDOWS
2010/09/18 14:05:24.0875 Processor architecture: Intel x86
2010/09/18 14:05:24.0875 Number of processors: 2
2010/09/18 14:05:24.0875 Page size: 0x1000
2010/09/18 14:05:24.0875 Boot type: Normal boot
2010/09/18 14:05:24.0875 ================================================================================
2010/09/18 14:05:25.0125 Initialize success
2010/09/18 14:06:40.0765 ================================================================================
2010/09/18 14:06:40.0765 Scan started
2010/09/18 14:06:40.0765 Mode: Manual;
2010/09/18 14:06:40.0765 ================================================================================
2010/09/18 14:06:42.0078 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/18 14:06:42.0109 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/09/18 14:06:42.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/18 14:06:42.0218 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/09/18 14:06:42.0296 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/18 14:06:42.0562 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/18 14:06:42.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/18 14:06:42.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/18 14:06:42.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/18 14:06:42.0859 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/09/18 14:06:42.0906 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/09/18 14:06:43.0015 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/09/18 14:06:43.0078 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/18 14:06:43.0156 BoiHwsetup (141befbd4f2a84a66e2f54b9e32e40d1) C:\WINDOWS\system32\drivers\BoiHwSetup.sys
2010/09/18 14:06:43.0218 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/18 14:06:43.0265 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/18 14:06:43.0296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/18 14:06:43.0343 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/18 14:06:43.0421 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/09/18 14:06:43.0500 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/09/18 14:06:43.0625 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/18 14:06:43.0671 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/09/18 14:06:43.0718 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/09/18 14:06:43.0765 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/09/18 14:06:43.0828 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/09/18 14:06:43.0859 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/09/18 14:06:43.0875 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/09/18 14:06:43.0906 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/09/18 14:06:43.0921 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/09/18 14:06:43.0953 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/09/18 14:06:44.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/18 14:06:44.0109 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/18 14:06:44.0140 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/18 14:06:44.0171 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/18 14:06:44.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/18 14:06:44.0328 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/09/18 14:06:44.0343 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/09/18 14:06:44.0421 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/18 14:06:44.0468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/09/18 14:06:44.0500 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/18 14:06:44.0515 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/09/18 14:06:44.0578 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/18 14:06:44.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/18 14:06:44.0687 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/18 14:06:44.0734 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/09/18 14:06:44.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/18 14:06:44.0906 HdAudAddService (a8bccb6ab8e43c39f4ef1bc4db8d6165) C:\WINDOWS\system32\drivers\CHDAud.sys
2010/09/18 14:06:44.0984 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/18 14:06:45.0109 HSFHWAZL (a30d7011c1b80a0bc16602d99218d522) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/09/18 14:06:45.0187 HSF_DPV (5a5a7721d9c62d77fc0faba9b2cf5be9) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/09/18 14:06:45.0343 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/18 14:06:45.0453 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/18 14:06:45.0593 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/18 14:06:45.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/18 14:06:45.0875 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/18 14:06:45.0937 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/18 14:06:45.0984 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/18 14:06:46.0031 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/18 14:06:46.0062 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/18 14:06:46.0187 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/18 14:06:46.0234 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/18 14:06:46.0281 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/18 14:06:46.0343 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2010/09/18 14:06:46.0375 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/18 14:06:46.0406 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/18 14:06:46.0453 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/18 14:06:46.0546 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/09/18 14:06:46.0578 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/18 14:06:46.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/18 14:06:46.0812 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/18 14:06:46.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/18 14:06:46.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/18 14:06:46.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/18 14:06:47.0031 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/18 14:06:47.0078 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/18 14:06:47.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/18 14:06:47.0203 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/18 14:06:47.0250 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/18 14:06:47.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/18 14:06:47.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/18 14:06:47.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/18 14:06:47.0484 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/18 14:06:47.0562 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/18 14:06:47.0640 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/18 14:06:47.0750 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/18 14:06:47.0828 NetBT (881596a01bed0a8a446a4349fdd8a620) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/18 14:06:47.0828 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 881596a01bed0a8a446a4349fdd8a620, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
2010/09/18 14:06:47.0843 NetBT - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/18 14:06:47.0875 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2010/09/18 14:06:47.0921 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/18 14:06:47.0984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/18 14:06:48.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/18 14:06:48.0093 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/18 14:06:48.0125 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/18 14:06:48.0187 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/09/18 14:06:48.0265 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/18 14:06:48.0296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/18 14:06:48.0328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/18 14:06:48.0390 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/18 14:06:48.0437 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/09/18 14:06:48.0625 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/09/18 14:06:48.0687 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/18 14:06:48.0718 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/18 14:06:48.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/18 14:06:48.0765 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/18 14:06:48.0812 qkbfiltr (7dc7aca4e775e9d823f5773a2f47a2ac) C:\WINDOWS\system32\drivers\qkbfiltr.sys
2010/09/18 14:06:48.0937 qmofiltr (8652b9e134c3478be948bf089df8ed5e) C:\WINDOWS\system32\drivers\qmofiltr.sys
2010/09/18 14:06:48.0984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/18 14:06:49.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/18 14:06:49.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/18 14:06:49.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/18 14:06:49.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/18 14:06:49.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/18 14:06:49.0281 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/18 14:06:49.0343 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/18 14:06:49.0406 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/18 14:06:49.0531 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/09/18 14:06:49.0593 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/09/18 14:06:49.0703 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2010/09/18 14:06:49.0796 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/18 14:06:49.0843 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/09/18 14:06:49.0890 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/18 14:06:50.0000 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/18 14:06:50.0031 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/18 14:06:50.0125 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/18 14:06:50.0250 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/18 14:06:50.0328 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/18 14:06:50.0500 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/09/18 14:06:50.0546 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/18 14:06:50.0687 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/18 14:06:50.0734 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/18 14:06:50.0828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/18 14:06:50.0890 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/18 14:06:50.0968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/18 14:06:51.0140 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/18 14:06:51.0203 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/18 14:06:51.0328 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/18 14:06:51.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/18 14:06:51.0468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/18 14:06:51.0515 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/18 14:06:51.0531 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/18 14:06:51.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/18 14:06:51.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/18 14:06:51.0781 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/09/18 14:06:51.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/18 14:06:52.0046 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/18 14:06:52.0125 winachsf (e0a00b06ea067c84e124b407dffa1af1) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/09/18 14:06:52.0265 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/18 14:06:52.0296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/18 14:06:52.0359 ================================================================================
2010/09/18 14:06:52.0359 Scan finished
2010/09/18 14:06:52.0359 ================================================================================
2010/09/18 14:06:52.0375 Detected object count: 1
2010/09/18 14:06:58.0468 NetBT (881596a01bed0a8a446a4349fdd8a620) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/18 14:06:58.0468 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 881596a01bed0a8a446a4349fdd8a620, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
2010/09/18 14:06:59.0640 Backup copy found, using it..
2010/09/18 14:06:59.0656 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured after reboot
2010/09/18 14:06:59.0656 Rootkit.Win32.TDSS.tdl3(NetBT) - User select action: Cure
2010/09/18 14:07:04.0843 Deinitialize success


MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4645

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/09/2010 14:48:27
mbam-log-2010-09-18 (14-48-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 200509
Time elapsed: 33 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---

Thanks again for your help so far - and I look forward to finding out what to do next!

Hope all's well with you -
Shaun

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:31 AM

Posted 18 September 2010 - 11:22 AM

hi,

ok good. Is the redirection gone now? Try running combofix again in 'normal mode' this time and post the log.

How Can I Reduce My Risk to Malware?


#9 worths

worths
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 19 September 2010 - 06:52 AM

Hi there,

Yes! Everything behaving a lot more normally now. (Thank you!)

Here's the normal mode log:

ComboFix 10-09-17.04 - Shaun 19/09/2010 12:35:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.502.274 [GMT 1:00]
Running from: c:\documents and settings\Shaun\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-27 23:41 . 2010-09-27 23:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-18 13:09 . 2010-09-18 13:09 -------- d-----w- c:\documents and settings\Shaun\Application Data\Malwarebytes
2010-09-07 23:20 . 2010-09-07 23:20 -------- d-----w- c:\documents and settings\Shaun\Local Settings\Application Data\WinZip
2010-09-07 22:26 . 2010-09-07 22:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-01 00:09 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 00:09 . 2010-09-01 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 00:09 . 2010-09-18 13:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 00:09 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-27 23:57 . 2010-08-27 23:57 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 14:26 . 2010-03-06 10:02 1 ----a-w- c:\documents and settings\Shaun\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-18 13:08 . 2006-02-15 09:34 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-09-07 23:20 . 2010-03-18 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-25 12:23 . 2010-03-20 09:56 -------- d-----w- c:\documents and settings\Shaun\Application Data\Apple Computer
2010-08-17 13:17 . 2006-02-15 09:34 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-04 22:33 . 2010-08-04 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-04 13:29 . 2010-08-04 13:29 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-22 15:49 . 2006-02-15 09:34 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-03-05 15:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-16 10:41 . 2010-03-06 10:03 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 10:41 . 2010-07-16 10:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 10:40 . 2010-03-06 10:02 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2006-02-15 09:34 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2006-02-15 09:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2006-02-15 09:34 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-02-15 09:34 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-18_12.46.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-19 02:25 . 2010-09-19 02:25 16384 c:\windows\temp\Perflib_Perfdata_578.dat
+ 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2010-05-14 00:25 . 2010-09-19 02:02 40960 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
- 2010-05-14 00:25 . 2010-08-12 10:34 40960 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
+ 2006-02-15 09:34 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
- 2006-02-15 09:34 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll
+ 2006-02-15 09:34 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
- 2006-02-15 09:34 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll
- 2006-10-18 21:47 . 2006-10-18 21:47 317440 c:\windows\system32\MP4SDECD.dll
+ 2006-10-18 21:47 . 2010-03-30 11:24 317440 c:\windows\system32\mp4sdecd.dll
+ 2006-02-15 10:46 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
+ 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2010-03-30 11:24 . 2010-03-30 11:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
+ 2010-03-05 15:30 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-14 00:25 . 2010-09-19 02:02 135168 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-05-14 00:25 . 2010-08-12 10:34 135168 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-08-25 16:06 . 2010-08-25 16:06 6479360 c:\windows\Installer\260175.msp
+ 2010-03-05 17:34 . 2010-09-19 02:02 35552200 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 1589248]
"TPSMain"="TPSMain.exe" [2006-02-08 266240]
"NDSTray.exe"="NDSTray.exe" [BU]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 10:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/03/2010 11:02 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/03/2010 11:03 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [16/07/2010 11:40 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 11:41 308136]
.
Contents of the 'Scheduled Tasks' folder

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Shaun\Application Data\Mozilla\Firefox\Profiles\1fp3prpr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1747573646-2887068797-1277232210-1005\Software\SecuROM\License information*]
"datasecu"=hex:6f,a8,11,e6,29,6f,40,1d,e9,07,ea,74,fc,de,c3,a1,f2,86,4b,51,13,
fd,3e,ce,fb,b7,14,03,37,d6,6b,82,7c,78,29,d9,40,d5,87,40,4d,c5,a0,55,b2,dc,\
"rkeysecu"=hex:63,9a,8e,98,b4,e5,38,3d,21,c6,59,d0,c7,fa,87,20
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\wbem\wbemcomn.dll

- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-09-19 12:45:42
ComboFix-quarantined-files.txt 2010-09-19 11:45
ComboFix2.txt 2010-09-18 12:53

Pre-Run: 22,050,533,376 bytes free
Post-Run: 22,036,611,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FE31A1B95A1582ECED462A6B1295241B


Does that mean everything's back to normal?

Let me know if there's anything else I should do, and many thanks again -
S

#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:31 AM

Posted 19 September 2010 - 09:24 AM

hi,

looks good. You can delete the DDS and TDSSkiller icons from your desktop. You can remove combofix like this:
start>run and type in Combofix /uninstall
click ok or enter
note: there is a space after the x and before the /

note that the free version of malwarebytes must be updated manually. Its good practice to keep it up to date by checking every few days even if you dont do a scan with it at that time. Scans also must be started manually.

you can make a new restore point. The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot


And last if all is good:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader,iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Can you really trust the source of the file? Do you really need another malware source?


More info/tips with pictures in links below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users